1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

1853 Commits

Author SHA1 Message Date
Andrew Tridgell
377ffcb029 s4-drs: make debugging DsUpdateRefs a bit easier 2010-09-16 16:08:46 +10:00
Andrew Tridgell
e5cd023a41 s4-drs: initial skeleton for DrsReplica{Add,Del,Mod} calls 2010-09-16 16:08:46 +10:00
Andrew Tridgell
4cf53c6d0b s4-drs: removed a debug print in repl secret 2010-09-16 16:08:46 +10:00
Andrew Tridgell
e2b6d171d4 s4-drs: get lpcfg_dnsdomain() instead of lpcfg_realm()
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-16 07:24:01 +10:00
Kamen Mazdrashki
7f1db0d8df s4-drs: Wait DsReplicaSync for as long as it takes to complete
In case the caller wants sync execution, we should
not cancel the call for internal timeout reason,
but rather wait for its execution
2010-09-16 00:15:38 +03:00
Kamen Mazdrashki
ee169d7347 s4-irpc: Add 'timeout' param for dcesrv_irpc_forward_rpc_call() call
It is to be used when caller wants to explicitly
specify the timeout for the call
2010-09-16 00:15:38 +03:00
Andrew Tridgell
e7f21fa941 s4-rpcserver: set unbind method to NULL in remote server
this prevents a possible crash on disconnect
2010-09-15 23:08:18 +10:00
Anatoliy Atanasov
4608721935 s4/fsmo: Remove empty new lines 2010-09-15 14:00:27 +03:00
Andrew Tridgell
a498ab90fb s4-rpc: fixed double free in RPC proxy
the unbind method is only called when the dcesrv_connection_context is
being destroyed (its called from the destructor). That means that priv
is either already free, or is about to be freed, so don't free it
again
2010-09-15 15:39:36 +10:00
Jelmer Vernooij
48976ac497 rpc_server: Remove unnecessary dependency on server modules, build
system will take care of that.
2010-09-14 17:24:05 +02:00
Matthias Dieter Wallnöfer
7e710c4de9 s4:rpc_server/common/common.h - introduce two forward declarations to suppress parameter declaration warnings
Always Tru64 in file "param/loadparm.c" and possibly others.
2010-09-11 18:04:48 +02:00
Matthias Dieter Wallnöfer
83cd3f7630 s4:dcesrv_samr_GetGroupsForUser - also universal group memberships are returned here
Tested using User Manager for Domains against Windows Server 2008.
MS-SAMR 3.1.5.9.1 is wrong in this case therefore I've informed the dochelp team.
2010-09-11 14:34:37 +02:00
Andrew Bartlett
e84ab1b35f s4-privs Fix enum privileges in LSARPC server
We were returning the index, not the LUID value

Andrew Bartlett
2010-09-11 22:32:43 +10:00
Andrew Bartlett
0eea8ecfe2 s4-privs Seperate rights and privileges
These are related, but slightly different concepts.  The biggest difference
is that rights are not enumerated as a system-wide list.

This moves the rights to security.idl due to dependencies.

Andrew Bartlett
2010-09-11 18:46:13 +10:00
Andrew Bartlett
da9bca6282 s4-rpc_server Put all 'logon failure' messages at the same debug level 4
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11 18:46:12 +10:00
Andrew Tridgell
45aecc2833 s4-lsa: privilege IDs should use the enum, not an int
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-11 18:46:12 +10:00
Andrew Bartlett
a32cdadb7c libcli/security Make sec_privilege_from_index() return SEC_PRIV_INVALID on failure
This is clearer and more consistent than using a magic -1 return

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11 18:46:11 +10:00
Andrew Bartlett
6d78e11e17 libcli/security make sec_privilege_id() return SEC_PRIV_INVALID on failure.
Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11 18:46:10 +10:00
Andrew Bartlett
9abfd8fe3b s4-privs Add a lookup by index of privilages
Now that privileges are no longer given luid values sequentially,
we need another way to look them up for enumeration.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11 18:46:05 +10:00
Matthias Dieter Wallnöfer
4fc1319db9 s4:getncchanges_change_master - also in this call "i" needs to be unsigned 2010-09-10 20:20:26 +02:00
Kamen Mazdrashki
25dd9fae66 s4-drs: return DRSUAPI_EXOP_ERR_SUCCESS in extended_ret
in case we are handling extended operation.

It seems that windows accept both DRSUAPI_EXOP_ERR_SUCCESS
and DRSUAPI_EXOP_ERR_NONE, but Samba is a little bit
more picky on this.
2010-09-10 13:08:25 +03:00
Kamen Mazdrashki
611cd51096 s4-drs: Hanlde extended operations only once
Most of extended operations I know of work like:
1. do extended operation
2. collect a set of objects to return and start replication cycle
3. continue returning object as we have no more to give

This way we ensure we are doing 1. only once
2010-09-10 13:08:24 +03:00
Nadezhda Ivanova
5ba2858b02 s4-rpc: Added handling of fsmo role transfer to GetNCChanges
This adds support for DRSUAPI_EXOP_FSMO_REQ_ROLE, DRSUAPI_EXOP_FSMO_RID_REQ_ROLE
and DRSUAPI_EXOP_FSMO_REQ_PDC.
Developed in collaboration with Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
2010-09-10 13:08:18 +03:00
Kamen Mazdrashki
3f109f8fd7 s4-drs: Dump exact error when failure occurs during DsReplicaUpdateRefs call 2010-09-07 17:09:34 +03:00
Stefan Metzmacher
5c73c84f29 s4:rpc_server/netlogon: use irpc_binding_handle_by_name()
metze
2010-09-03 17:00:20 +02:00
Stefan Metzmacher
f2422a0faa s4:rpc_server/common: use irpc_binding_handle_by_name() in dcesrv_irpc_forward_rpc_call()
metze
2010-09-03 17:00:19 +02:00
Kamen Mazdrashki
fdffa90ef9 s4-drs: A quick fix for DRSUAPI_EXOP_FSMO_RID_ALLOC extended_op handling
When DRSUAPI_EXOP_FSMO_RID_ALLOC extended op is handled
in DsGetNCChanges() stub, we need to returned a well know set of
object - see: [ms-adts], 3.1.1.5.1.7

With this hack we are going to return just objects modified
during RID allocation procedure - i.e. "RID Manager$", "RID Set" for
computer object and computer object itself.

Which is a close approximation of what we are expected to return.
2010-09-03 13:23:48 +03:00
Günther Deschner
e2f15d2a25 s4-trusts: fix trustDomainPasswords drsblobs IDL and server side support.
Also remove bogus trustCurrentPasswords struct which we just had because our IDL
was incorrect.

Guenther
2010-08-25 13:27:50 +02:00
Matthias Dieter Wallnöfer
2d80364f1b s4:getncchanges.c - fix some counter variable types
They should be "unsigned" since they count LDB objects. And also the SID array
can be counted as "unsigned".
2010-08-23 18:05:52 +02:00
Andrew Tridgell
635c41ab82 s4-drs: show the user sid that does the GetNCChanges call
this is useful when debugging replication

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-23 15:55:39 +10:00
Andrew Tridgell
826177bd24 s4-drs: removed the warning on WRIT_REP being set
we just need to clear this flag
2010-08-23 15:55:39 +10:00
Andrew Bartlett
6cf29b3e4f s4:security Change struct security_token->sids from struct dom_sid * to struct dom_sid
This makes the structure much more like NT_USER_TOKEN in the source3/
code.  (The remaining changes are that privilages still need to be merged)

Andrew Bartlett
2010-08-23 08:50:55 +10:00
Stefan Metzmacher
fe7819ae6f librpc/rpc: move dcerpc_read_ncacn_packet_send/recv() to dcerpc_util.c
metze
2010-08-20 18:09:25 +02:00
Andrew Tridgell
f1c6bab60e s4-drs: fixed the error code for EXOP_REPL_SECRET getncchanges calls
when we deny a EXOP_REPL_SECRET call we should set the exop error code
to NONE, and the main return code to WERR_DS_DRA_ACCESS_DENIED (based
on observing windows server behaviour)

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-20 20:34:11 +10:00
Andrew Tridgell
4cc6b5a69b s4-drs: bring us much closer to the docs for DRS secret replication
The rules for when a RODC can replicate secrets are:

 - it can always replicate its own acct
 - it can also replicate its krbtgt acct
 - it can't replicate other krbtgt accts
 - it can't replicate interdomain trust accounts
 - it can't replicate users in the denied group list
 - it can replicate users in the allowed group list

otherwise it can't replicate

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-20 20:34:11 +10:00
Andrew Tridgell
c122939919 s4-drs: implement RODC attribute filtering override
When a RODC uses extended getncchanges operation
DRSUAPI_EXOP_REPL_SECRET it gets an override on the ability to
replicate the secret attributes.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-20 20:34:11 +10:00
Andrew Tridgell
dc7cf47371 s4-drs: added sam_ctx_system on DRS bind state
The getncchanges call needs to be able to access the sam as the system
user for RODC clients. To do this it needs a sam_ctx connection with
system credentials

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-20 20:34:11 +10:00
Kamen Mazdrashki
89899f55dc s4-drs: ATTIDs for deleted attributes should be based on msDs-IntId value if it exists 2010-08-19 03:34:05 +03:00
Kamen Mazdrashki
6a51afcfdb s4-drs: GetNCChanges() to return correct (in AD-way) ATTIDs
Depending on which NC is being replicated, GetNCChanges() returns
either ATTID based on local prefixMap or msDs-IntId value of
the attributeSchema class for the attribute being replicated.

If set, msDs-IntId value is always returned when replicating
object form NC other than Schema NC.
Objects in Schema NC replica always use prefixMap based ATTIDs.
2010-08-19 03:34:03 +03:00
Andrew Bartlett
7c6ca95bec s4:security Remove use of user_sid and group_sid from struct security_token
This makes the structure more like Samba3's NT_USER_TOKEN
2010-08-18 09:50:38 +10:00
Matthias Dieter Wallnöfer
786c41b095 s4:netlogon RPC server - "ServerPasswordSet" operations - introduce also here the new password change syntax 2010-08-17 19:24:23 +02:00
Matthias Dieter Wallnöfer
cd711da6ca s4:samr RPC server - samr_password.c - make real user password changes work
Now it's finally possible that the user can change his password with a DSDB
connection using his credentials.
2010-08-17 18:45:34 +02:00
Matthias Dieter Wallnöfer
2a423e0547 s4:kdc/rpc server - adapt the "samdb_set_password" calls which perform password sets 2010-08-17 18:45:34 +02:00
Andrew Tridgell
8835a360ca s4-rpcserver: log unknown RPC calls at debug level 3
This was added as we are occasionally getting an encrypted unknown
netlogon call, and I'm having trouble looking at it in wireshark
2010-08-17 21:21:51 +10:00
Andrew Tridgell
2688375ffe s4-netlogon: added SEC_CHAN_RODC
This seems to be equivalent to SEC_CHAN_BDC, but for RODCs
2010-08-17 21:21:51 +10:00
Andrew Tridgell
21729b63f0 s4-drs: allow getncchanges from RODC with WRIT_REP set
w2k8r2 is setting this bit as a RODC. Instead of refusing the
replication, we now remove the bit from req8, which means other places
in the code that check this bit can stay the same

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17 21:21:50 +10:00
Andrew Tridgell
45a2b408ba s4-drs: added domain_sid to DRS security checks
we need the domain_sid to determine if the account is a RODC for our
domain

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17 21:21:50 +10:00
Andrew Tridgell
6baa834ebe s4-ldb: use LDB_FLAG_MOD_TYPE() to extract element type from messages
The flags field of message elements is part of a set of flags. We had
LDB_FLAG_MOD_MASK for extracting the type, but it was only rarely
being used (only 1 call used it correctly). This adds
LDB_FLAG_MOD_MASK() to make it more obvious what is going on.

This will allow us to use some of the other flags bits for internal
markers on elements

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17 21:21:50 +10:00
Andrew Bartlett
272e49e85c s4:auth Move struct auth_usersupplied_info to a common location
This also changes the calling convention slightly - we should always
allocate this with talloc_zero() to allow some elements to be
optional.  Some elements may only make sense in Samba3, which I hope
will use this common structure.

Andrew Bartlett
2010-08-14 11:58:13 +10:00
Andrew Tridgell
952ef310b5 s4-build: fixed library name in dcerpc_server.pc.in
Thanks to Metze for spotting this
2010-08-14 11:58:13 +10:00
Andreas Schneider
46bcb62780 s4-rpc_server: Fixed the build of the dcerpc_server library.
Brad please check!
2010-08-09 15:57:59 +02:00
Andrew Tridgell
56db40d5fd s4-build: use @PACKAGE_VERSION@ in s4 pc.in files
this gets replaced by vnum from the build rule
2010-08-09 12:27:23 +10:00
Brad Hards
ebd4ea7338 s4-build: added dcerpc_server library
OpenChange needs this for dcerpc_register_ep_server()

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-08-09 12:27:23 +10:00
Stefan Metzmacher
6598d6dc41 s4:rpc_server/lsa: better include a .h file don't include a .c file
This fixes the build with --nonshared-binary=smbtorture,
as use by the source3/ make test.

metze
2010-08-07 18:16:29 +02:00
Matthias Dieter Wallnöfer
67b1e1b8f3 s3:dcesrv_lsa.c - use the RELAX control in order to create LSA objects 2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
f5f236a4b9 s4:dcesrv_netr_LogonGetDomainInfo - improve the client OS informations update
As ekacnet pointed out on the mailing list we don't need to do a delete if we
(re)set the values afterwards - only if we don't set any new ones.
2010-07-31 20:44:29 +02:00
Andrew Tridgell
6b266b85cf s4-loadparm: 2nd half of lp_ to lpcfg_ conversion
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-16 18:24:27 +10:00
Stefan Metzmacher
02a627e719 s4:drsuapi: don't return all linked attributes at the same time
Windows gives them in chunks, but I don't know the correct
rule to calculate the chunk size.

For now I'll use 1500 as the max size.

Windows isn't happy when it gets ~ 100000 linked attributes in one
response. It corrupts its directory index and later moves some objects
to the LostAndFound folder.

metze
2010-07-09 16:43:17 +02:00
Matthias Dieter Wallnöfer
38896f3362 s4:drsuapi RPC server - "result_site_name" - fix variable denomination 2010-07-08 19:28:44 +02:00
Matthias Dieter Wallnöfer
b03040c5a9 s4:SAMR rpc server - "SetUserInfo" - fix the implementation of the expire flag
It has to consider the "password_expires" flag to known if the "pwdLastSet" has
to be updated or to be resetted.
2010-07-06 21:54:21 +02:00
Matthias Dieter Wallnöfer
7f15ca4427 s4:SAMR rpc server - "QueryUserInfo" - send back the password expired flag on level 21
Taken from the s3 server code
2010-07-06 21:54:21 +02:00
Sumit Bose
4efa1081aa s4:rpc_server/lsa/dcesrv_lsa.c - fix typo
Signed-off-by: Günther Deschner <gd@samba.org>
2010-07-06 17:22:42 +02:00
Matthias Dieter Wallnöfer
afcf18f3c9 s4:samr RPC server - "SetUserInfo" - allow some more informations to be set
Taken from the s3 implementation.
2010-07-05 15:36:12 +02:00
Matthias Dieter Wallnöfer
95127b3f5f s4:rpc_server/browser.c - remove unused code
Spotted by the Solaris 10 compiler
2010-06-29 22:32:05 +02:00
Matthias Dieter Wallnöfer
e5c5d371d1 s4:dcesrv_drsuapi.c - fix a counter variable 2010-06-28 14:51:09 +02:00
Matthias Dieter Wallnöfer
4826fdf95f s4:lsa RPC server - Fix up "dcesrv_lsa_DeleteObject"
- Return always "NT_STATUS_OK" on success
- Remove "talloc_free"s on handles since the frees are automatically performed by
  the DCE/RPC server code
2010-06-28 14:51:08 +02:00
Matthias Dieter Wallnöfer
d6098de507 s4:dcesrv_samr_SetUserInfo - implement right "pwdLastSet" behaviour
Behaviour as the torture SAMR passwords tests show.
2010-06-28 14:51:05 +02:00
Matthias Dieter Wallnöfer
3c1a9fb87f s4:dcesrv_samr_SetUserInfo - deny operations when "fields_present" is 0
Taken from s3
2010-06-28 14:51:05 +02:00
Matthias Dieter Wallnöfer
ea83d21341 s4:dcesrv_samr_SetUserInfo - port the "SAMR_FIELD_LAST_PWD_CHANGE" check from s3 to s4 2010-06-28 14:51:04 +02:00
Matthias Dieter Wallnöfer
4c63bb312f s4:dcesrv_samr_SetUserInfo - implement password set level 21 2010-06-28 14:51:04 +02:00
Matthias Dieter Wallnöfer
b705026771 s4:dcesrv_samr_SetUserInfo - implement case 18 which allows to reset the user password 2010-06-28 14:51:04 +02:00
Matthias Dieter Wallnöfer
8feda76d4f s4:OemChangePasswordUser2 - return "NT_STATUS_WRONG_PASSWORD" when we haven't activated the the lanman auth
This is what s3 does.
2010-06-28 14:51:03 +02:00
Matthias Dieter Wallnöfer
8f20a5512a s4:samr_password.c - add a function which sets the password through encrypted password hashes
Used for password sets on "samr_SetUserInfo" level 18 and 21.
2010-06-28 14:51:03 +02:00
Matthias Dieter Wallnöfer
6f6365daba s4:rpc_server/srvsvc/dcesrv_srvsvc.c - remove unreachable code 2010-06-26 20:08:47 +02:00
Matthias Dieter Wallnöfer
f12dab8e00 s4:rpc_server/wkssvc/dcesrv_wkssvc.c - remove unreachable code 2010-06-26 20:08:47 +02:00
Matthias Dieter Wallnöfer
3c3ecf40e5 s4:rpc_server/lsa/dcesrv_lsa.c - remove unreachable code 2010-06-26 20:08:46 +02:00
Matthias Dieter Wallnöfer
d85d6054c9 s4:lsa/lsa_lookup.c - use a better type for the "rtype" of the wellknown SIDs
To suppress warnings on Solaris 10
2010-06-26 20:08:45 +02:00
Matthias Dieter Wallnöfer
3f2e9ce2b4 s4:rpc_server/drsuapi/drsutil.c - remove unreachable code 2010-06-26 19:46:33 +02:00
Matthias Dieter Wallnöfer
e5e4184e5a s4:rpc_server/dcesrv_auth.c - remove unreachable code 2010-06-26 19:45:45 +02:00
Matthias Dieter Wallnöfer
eff7d2db31 s4:samr RPC server - make use of LDB constants in macros 2010-06-22 22:21:12 +02:00
Matthias Dieter Wallnöfer
2f49c8f58e s4:samr RPC server - fix Solaris build warning 2010-06-20 22:33:01 +02:00
Matthias Dieter Wallnöfer
871cdec414 s4:registry RPC server - quite some build warnings on Solaris 2010-06-20 22:33:01 +02:00
Matthias Dieter Wallnöfer
82fd483758 s4:lsa_lookup.c - fix type argument 2010-06-20 22:33:00 +02:00
Matthias Dieter Wallnöfer
0bf26edf6c s4:rpc_server/service_rpc.c - fix warnings on Solaris 2010-06-20 22:32:59 +02:00
Matthias Dieter Wallnöfer
c972e6ec23 s4:rpc_server/service_rpc.c - deactivate the 0-length struct
This should fix the build on Solaris
2010-06-20 22:32:59 +02:00
Matthias Dieter Wallnöfer
56e4822566 s4:dcesrv_netr_DsRAddressToSitenamesExW - fix the detection of the address family in a better way
Obviously the last attempt wasn't enough. Now we do really only read the first
byte in the address buffer which on little endian transmission does always
contain the address family (MS-NRPC 2.2.1.2.4.1).
This should now be working platform-independently.
2010-06-18 10:03:08 +02:00
Matthias Dieter Wallnöfer
d9c81e3ea5 s4:dcesrv_netr_DsRAddressToSitenamesExW - fix the read of the IP packet version
This should make it clearer by the use of the standardised "sa_family_t" type
and hopefully fixes the problems on platforms other than Linux (NetBSD in the
buildfarm for example).
2010-06-16 21:47:22 +02:00
Matthias Dieter Wallnöfer
1137e8e95e s4:SAMR server - cosmetic fix 2010-06-14 11:41:32 +02:00
Matthias Dieter Wallnöfer
f0ab520f6e s4:SAMR server - on alias search operations do never use the domain DN as base dn
Aliases (especially in the "builtin" domain) are often domain-independant.
2010-06-14 11:37:11 +02:00
Matthias Dieter Wallnöfer
731b4469cb s4:dcesrv_samr_GetGroupsForUser - return error code if a SID wasn't found
This shouldn't happen since SIDs are mandatory for security objects
2010-06-12 17:50:52 +02:00
Matthias Dieter Wallnöfer
a67fa2db3b s4:dcesrv_samr_QueryGroupMember/GetMembersInAlias - unify the structure
Mostly cosmetic fixes
2010-06-12 17:45:14 +02:00
Matthias Dieter Wallnöfer
d2c25e1b11 s4:dcesrv_samr_GetAliasMembership - provide a correct implementation
We could also have no valid SID specified at all and also then we have to
return an empty array with "NT_STATUS_OK". This shows the torture testsuite.
2010-06-12 16:45:48 +02:00
Matthias Dieter Wallnöfer
4a8ee9a333 s4:dcesrv_samr_EnumDomainGroups/Aliases - when we don't get a SID then the database is corrupted
Group/User/Alias entries do always have a SID (it's a mandatory attribute in the
SAM directory)!
2010-06-12 16:45:48 +02:00
Matthias Dieter Wallnöfer
4659b3c4fd s4:dcesrv_samr_QueryAliasInfo - return "NT_STATUS_NO_SUCH_ALIAS" when it wasn't found 2010-06-12 16:45:48 +02:00
Matthias Dieter Wallnöfer
d2099a1def s4:dcesrv_samr_QueryGroupInfo - make it more like "QueryAliasInfo" 2010-06-12 16:45:48 +02:00
Matthias Dieter Wallnöfer
776eb25ef7 s4:dcesrv_samr_QueryUserInfo - minor fixes
Return  "NT_STATUS_NO_SUCH_USER" when user account doesn't exist.
2010-06-12 16:45:47 +02:00
Matthias Dieter Wallnöfer
cdecae6c03 s4:dcesrv_samr_QueryDomainInfo - allocate the "info" structure only when really needed
That means the allocation should move after the lookup (as it is on
"QueryUserInfo"). Return "NT_STATUS_NO_SUCH_DOMAIN" on an invalid domain.
2010-06-12 16:45:47 +02:00
Matthias Dieter Wallnöfer
0171f714b4 s4:dcesrv_samr_EnumDomainGroups - mostly small fixes 2010-06-12 16:45:47 +02:00
Matthias Dieter Wallnöfer
f2c3d39e72 s4:dcesrv_samr_EnumDomainAliases - return an empty array also when no entry was returned 2010-06-12 16:45:46 +02:00
Matthias Dieter Wallnöfer
5a1cb7029c s4:dcesrv_samr_EnumDomainAliases - mostly small fixes
The biggest change consists in the implementation of the Windows Server
return size formula MIN(*r->out.num_entries, 1+(r->in.max_size/SAMR_ENUM_USERS_MULTIPLIER).
2010-06-12 16:45:46 +02:00
Matthias Dieter Wallnöfer
84bda98066 s4:dcesrv_samr_EnumDomainUsers - make this call look more similar to "EnumDomainGroups" and "EnumDomainAliases"
That means that the lookup is now also done by "samdb_search_domain" to be more
consistent.
2010-06-12 16:45:46 +02:00
Matthias Dieter Wallnöfer
9f95298864 s4:dcesrv_samr_Add/DeleteAliasMember - provide better NTSTATUS return codes when something didn't work 2010-06-10 16:22:08 +02:00
Matthias Dieter Wallnöfer
7374cd0358 s4:dcesrv_samr_GetAliasMembership - fix type of counter variables 2010-06-10 16:22:07 +02:00
Matthias Dieter Wallnöfer
34b43a8642 s4:dcesrv_samr_DeleteAliasMember - add more braces to fit better the coding styles 2010-06-10 16:22:07 +02:00
Matthias Dieter Wallnöfer
305f2c7043 s4:dcesrv_samr_AddAliasMembership - Merge the two error blocks into one 2010-06-10 16:22:07 +02:00
Matthias Dieter Wallnöfer
13b1f7a2b3 s4:dcesrv_samr_Add/DelGroupMember - remove the account type check
MS-SAMR 3.1.5.8 speaks from accounts which are not necessarely only users.
2010-06-10 16:22:06 +02:00
Matthias Dieter Wallnöfer
f95634dbe0 s4:dcesrv_samr_AddGroupMember - also the error code "LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS" is allowed
This is returned when the group is the primary group of the specified entry.
2010-06-10 16:22:06 +02:00
Matthias Dieter Wallnöfer
11e2608ba9 s3/s4:netrEnumerateTrustedDomains - this call returns a "NTSTATUS" result
See MS-NRPC 3.5.5.6.3.
2010-05-31 12:08:59 +02:00
Matthias Dieter Wallnöfer
0eec33417e s4:dcesrv_netr_DsrEnumerateDomainTrusts - fix an integer type 2010-05-31 12:08:58 +02:00
Matthias Dieter Wallnöfer
55df7606e3 Revert "s4:rpc_server/dcesrv_auth.c - Fix a RPC issue in conjunction with Windows 2000"
This reverts commit 1cf5be39e3.

My fix approach isn't such appreciated therefore revert this.
2010-05-30 14:53:36 +02:00
Matthias Dieter Wallnöfer
1cf5be39e3 s4:rpc_server/dcesrv_auth.c - Fix a RPC issue in conjunction with Windows 2000
Windows 2000 does strictly request header signing on some requests also if the
server doesn't provide it. But there is a small trick (don't reset the actual
session info) to make these special RPC operations work without a full header
signing implementation.

This fixes for example the list of domain groups in local groups when displayed
sing the local user/group management tool.

And this should finally fix bug #7113.

The patch was inspired by another one by tridge and abartlet: http://gitweb.samba.org/samba.git/?p=tridge/samba.git;a=commitdiff;h=2dc19e2878371264606575d3fc09176776be7729
2010-05-30 12:39:30 +02:00
Simo Sorce
3c8dc5cd21 s4:smbd: Use tstream_npa_accept_existing to accept named pipe connections
Pair-programmed-with: Stefan Metzmacher <metze@samba.org>
2010-05-26 09:24:05 +02:00
Matthias Dieter Wallnöfer
189950ce06 s4:dsdb_enum_group_mem - use "unsigned" counters
"size_t" counters aren't really needed here (we don't check data lengths).
And we save the result in a certain "num_sids" variable which is of type
"unsigned".
2010-05-24 22:01:36 +02:00
Andrew Bartlett
285647664c s4:idmap Adjust code to new idmap structure names and layout.
Andrew Bartlett
2010-05-24 23:08:56 +10:00
Andrew Bartlett
f6aa090202 s4:samr Push most of samr_LookupRids into a helper function
This is a rewrite of the lookup_rids code, using a query based on the
extended DN for a clearer interface.

By splitting this out, the logic is able to be shared, rather than
copied, into a passdb wrapper.

Andrew Bartlett
2010-05-24 23:08:56 +10:00
Andrew Bartlett
c6ffd884d9 s4:samr Push most of samr_QueryGroupMember into a helper function
This is a rewrite of the group membership lookup code, using the
stored extended DNs to avoid doing the lookup into each member to find
the SID

By splitting this out, the logic is able to be shared, rather than
copied, into a passdb wrapper.

Andrew Bartlett
2010-05-24 23:08:49 +10:00
Andrew Bartlett
20d2847492 s4:samr Move most of samr_CreateDomAlias into a helper function
This allows this logic to be shared, rather than copied, into a passdb
wrapper.

Andrew Bartlett
2010-05-24 23:08:11 +10:00
Andrew Bartlett
fc04e565b0 s4:samr Split most of samr_CreateDomainGroup into a helper function
This allows this logic to be shared, rather than copied, into a passdb
wrapper.

Andrew Bartlett
2010-05-24 23:08:11 +10:00
Andrew Bartlett
43c931b2d4 s4:samr Split the guts of samr_CreateUser2 into a helper function
This allows this logic to be shared, rather than copied, into a passdb
wrapper.

Andrew Bartlett
2010-05-24 23:08:11 +10:00
Matthias Dieter Wallnöfer
8e1e6b0112 s4:LogonGetDomainInfo - allow to set DNS hostname for the first time
Otherwise it obviously can never be set.
2010-05-24 14:01:06 +02:00
Jelmer Vernooij
f9ca9e46ad Finish removal of iconv_convenience in public API's. 2010-05-18 11:45:30 +02:00
Matthias Dieter Wallnöfer
6e8098b261 s4:samdb_set_password/samdb_set_password_sid - Rework
Adapt the two functions for the restructured "password_hash" module. This
means that basically all checks are now performed in the mentioned module.

An exception consists in the SAMR password change calls since they need very
precise NTSTATUS return codes on wrong constraints ("samr_password.c") file
2010-05-10 19:07:46 +02:00
Matthias Dieter Wallnöfer
a4e35df3f5 s4:LogonGetDomainInfo - fix a potential crash source 2010-05-03 17:25:03 +02:00
Matthias Dieter Wallnöfer
e8a001c516 s4:LogonGetDomainInfo - fix indentation 2010-05-03 17:25:02 +02:00
Matthias Dieter Wallnöfer
8ed5e8ac9d s4:LogonGetDomainInfo - remove singular "dNSHostName" check - this doesn't belong here
I'm not really sure if this check is really done on Windows Server. And if it
is done, then it's on the LDB level (module).
2010-05-03 17:25:02 +02:00
Anatoliy Atanasov
dbbbc7d1f8 s4/rodc: RODC FAS initial implementation 2010-04-29 10:18:06 +03:00
Kamen Mazdrashki
bf49ac99c9 s4/dsdb: dsdb_validate_invocation_id() should validate by objectGUID
This function is used in DRSUpdateRefs() implementation where we
get DSA's objectGUID rather than invocationId
2010-04-28 12:11:03 +03:00
Stefan Metzmacher
7ca576e5c4 s4:rpc_server: remove unused socket_address based functions
metze
2010-04-27 17:05:30 +02:00
Andrew Tridgell
91bb4893c4 s4-netlogon: fixed getDcNameEx2 for blank inputs
w2k8r2 returns the local DC information on no inputs for
getDcNameEx2. This is needed for starting dsa.msc (ADUC) on
Win7.

CDLAP on the same call returns an error. This uses a parameter
fill_on_blank_request to distinguish the two cases.
2010-04-28 00:19:30 +10:00
Stefan Metzmacher
7bbaab8dff s4:rpc_server: remove 'socket_address' based functions
metze
2010-04-27 13:00:25 +02:00
Stefan Metzmacher
32bcc73cf8 s4:rpc_server/srvsvc: pass tsocket_address to the ntvfs layer
metze
2010-04-27 13:00:25 +02:00
Stefan Metzmacher
772cf15eb9 s4:rpc_server/spoolss: use tsocket_address in dcesrv_spoolss_check_server_name()
metze
2010-04-27 13:00:25 +02:00
Stefan Metzmacher
606025f11d s4:rpc_server/netlogon: use tsocket_address in dcesrv_netr_DsRGetDCNameEx2()
metze
2010-04-27 13:00:25 +02:00
Stefan Metzmacher
c42bb8e49c s4:rpc_server: remember the local and remote address
metze
2010-04-27 13:00:25 +02:00
Matthias Dieter Wallnöfer
2654e34cf0 s4:netr_DsRAddressToSitenames[Ex]W calls - implement them correctly with the client site information
This behaviour should be similar to the one of Windows Server (in my case 2008)
2010-04-27 08:09:12 +02:00
Matthias Dieter Wallnöfer
bb91afe50c Revert "s4:netr_DsRAddressToSitenames[Ex]W calls - implement them correctly with the client site information"
This reverts commit 908d982980.

I need to merge the improved version of this commit.
2010-04-27 08:08:42 +02:00
Matthias Dieter Wallnöfer
581f86ba73 Revert "s4-netlogon: fixed breakage of dcesrv_netr_GetAnyDCName in sites patch"
This reverts commit e88a54a87e.

This isn't the correct behaviour. See MS-NRPC documentation under the
"GetAnyDCName" section.
2010-04-27 08:07:19 +02:00
Andrew Tridgell
e88a54a87e s4-netlogon: fixed breakage of dcesrv_netr_GetAnyDCName in sites patch
We should respond when we are the PDC

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-27 15:24:43 +10:00
Matthias Dieter Wallnöfer
cfbd5ef8c4 s4:netlogon RPC server - we don't need "are we DC" proofs
When we aren't a DC we shouldn't have the netlogon pipe available.
[MS-NRPC 1.3] says that we can only have DCs on the server side.

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-27 15:24:43 +10:00
Matthias Dieter Wallnöfer
4686305feb s4:dcesrv_netr_DsrGetDcSiteCoverageW - provide a basic implementation
Does for now only return DC's primary site.

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-27 15:24:42 +10:00
Matthias Dieter Wallnöfer
3b4137c7be s4:dcesrv_netr_DsRGetSiteName - provide an implementation according to the MS-NRPC docs
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-27 15:24:41 +10:00
Matthias Dieter Wallnöfer
5fc7118675 s4:dcesrv_netr_GetAnyDCName - improve the call according to the MS-NRPC documentation
This implementation checks if the domainname is valid for us or a trusted domain.

Then I've also added the PDC location functionality. That means that we should
return "WERR_NO_SUCH_DOMAIN"  (MS-NRPC 3.5.5.2.5).

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-27 15:24:41 +10:00
Matthias Dieter Wallnöfer
908d982980 s4:netr_DsRAddressToSitenames[Ex]W calls - implement them correctly with the client site information
This behaviour should be similar to the one of Windows Server (in my case 2008)

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-27 15:24:41 +10:00
Andrew Tridgell
c375b90f5d s4-getncchanges: honor DRSUAPI_DRS_REF_GCSPN
this is an alternative way of establishing repsTo
2010-04-27 10:38:58 +10:00
Andrew Tridgell
6ee1c503bf s4-drs: don't send uninstantiated objects in getncchanges
This includes deleted partitions

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-26 19:06:07 +10:00
Andrew Tridgell
e7262b51d1 s4-drs: validate RODC credentials via the user_sid
This checks whether a replication client is a RODC by inclusion of the
the DOMAIN_RID_ENTERPRISE_READONLY_DCS sid in the users token

Pair-Programmed-With: Rusty Russell <rusty@samba.org>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-22 19:36:16 +10:00
Andrew Tridgell
bb1ba4ff76 s4-drs: added new SECURITY_RO_DOMAIN_CONTROLLER level
This is used for allowing operations by RODCs, and denying them
operations that should only be allowed for a full DC

This required a new domain_sid argument to
security_session_user_level()

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Rusty Russell <rusty@samba.org>
2010-04-22 19:36:16 +10:00
Andrew Tridgell
90230ce27e s4-drs: only allow replication with the right invocationId
Non-administrator replication checks the invocationId matches
the sid of the user token being used

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-22 19:36:16 +10:00
Fernando J V da Silva
73513fb7e7 s4-drs: Use new samdb_rodc() function in s4 code
This patch fits the calling to the new samdb_rodc() function and
fix a little bug in this function.

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-22 19:36:15 +10:00
Fernando J V da Silva
d940a44496 s4-drs: Do not send RODC filtered attributes to RODCs on GetNCChanges reply
During building an object to send it on a GetNCChanges reply, it checks
the attributes and if any of them is a RODC filtered and the recipient
is a RODC, then such attribute is not sent.

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-22 19:36:15 +10:00
Fernando J V da Silva
57bcdf008f s4-drs: samdb_is_rodc() function and new samdb_rodc() function
This patch creates the samdb_is_rodc() function, which looks for
the NTDSDSA object for a DC that has a specific invocationId
and if msDS-isRODC is present on such object and it is TRUE, then
consider the DC as a RODC.
The new samdb_rodc() function uses the samdb_is_rodc() function
for the local server.

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-22 19:36:15 +10:00
Matthias Dieter Wallnöfer
3a8b67fd36 s4:netlogon RPC server - fix a counter variable type 2010-04-21 18:06:17 +02:00
Stefan Metzmacher
135208d990 s4:rpc_server/netlogon: add no memory checks
metze
2010-04-20 16:02:14 +02:00
Andrew Tridgell
b4b43fcb4c s4-netlogon: fixed dc_unc and dc_address_type
These are needed for dcpromo from w2k8r2
2010-04-20 23:43:33 +10:00
Matthias Dieter Wallnöfer
41716a8c13 s4:netlogon RPC - "fill_one_domain_info" - use "lp_workgroup" for the DC short domainname discovery
Here we don't need to use "lp_sam_name" since in this function we are always a
DC.
2010-04-20 09:33:46 +02:00
Matthias Dieter Wallnöfer
84c901a619 s4:"samdb_server_site_name" uses - proof for out of memory 2010-04-13 15:45:29 +02:00
Matthias Dieter Wallnöfer
aa02f44255 s4:dcesrv_netr_DsRGetDCNameEx2 - provide a much better implementation
On the base of the "fill_netlogon_samlogon_response" call.

This removes duplicated code.
2010-04-13 15:26:54 +02:00
Matthias Dieter Wallnöfer
0dffa9caec s4:use "samdb_forest_name" for the forest DNS domainname lookup 2010-04-13 09:32:33 +02:00
Matthias Dieter Wallnöfer
ad9e407357 Revert "s4:prefer "samdb_*_dn" basedn calls over the "ldb_get_*_dn" functions"
We should use the "ldb_get_*_basedn" calls since they are available in the LDB
library.
2010-04-13 08:55:15 +02:00
Matthias Dieter Wallnöfer
1a27343366 s3/s4:netlogon IDL - fix up "struct netr_SamInfo6" regarding the "forest" attribute
According to MS-NRPC 2.2.1.4.13 this should be the DNS domainname, not the
forest one.
2010-04-12 18:49:01 +02:00
Matthias Dieter Wallnöfer
98ce053efd s4:prefer "samdb_*_dn" basedn calls over the "ldb_get_*_dn" functions
Purely cosmetic change.
2010-04-12 18:49:01 +02:00
Andrew Bartlett
2c193fe91a s4:auth Remove event context from anonymous_session()
This should always return a simple structure with no need to consult a
DB, so remove the event context, and simplfy to call helper functions
that don't look at privilages.

Andrew Bartlett
2010-04-11 13:36:04 +10:00
Andrew Bartlett
4b27cc0ea6 s4:rpc_server Fix segfault in modified SamLogon handling 2010-04-10 21:41:00 +10:00
Andrew Bartlett
0340826772 s4:rpc_server Add all SIDs into the netlogon SamLogon reply
We were missing the SIDs that are not in the domain.
2010-04-10 21:41:00 +10:00
Günther Deschner
35ef60918b s4-winreg: Fix dcesrv_winreg_CreateKey after rename.
Guenther
2010-04-09 13:57:18 +02:00
Günther Deschner
846813797d s4-winreg: add winreg_DeleteKeyEx stub.
Guenther
2010-04-09 00:27:58 +02:00
Andrew Tridgell
f9eae32f4b s4-waf: mark the wscript files as python so vim/emacs knows how to highlight them 2010-04-06 20:27:11 +10:00
Andrew Tridgell
aa5e08eb83 s4-waf: install the rest of the headers 2010-04-06 20:27:09 +10:00
Andrew Tridgell
844acb2260 build: waf quicktest nearly works
Rewrote wafsamba using a new dependency handling system, and started
adding the waf test code
2010-04-06 20:26:48 +10:00
Andrew Tridgell
845e0cbe6f build: commit all the waf build files in the tree 2010-04-06 20:26:48 +10:00
Simo Sorce
4b249a616b s4:lsa implement lsaRSetForestTrustInformation 2010-03-30 17:46:52 -04:00
Matthias Dieter Wallnöfer
90d2902c73 s4:registry - move the UTF16 length calculation for "reg_key_get_info" into the RPC server code
It does fit better there.
2010-03-29 20:36:32 +02:00
Kamen Mazdrashki
00fce797e8 s4/drs: drsuapi_DsAddEntry_ErrData propagate structure def in source code 2010-03-24 17:34:37 +02:00
Simo Sorce
d9e311ddce s4:lsa Functions to set Domain Trust Information 2010-03-22 21:49:40 -04:00
Simo Sorce
668e7db9d6 s4:lsa move code to add trusted domain user into its own function 2010-03-22 21:49:40 -04:00
Simo Sorce
650a62d1cb s4:lsa Abstract crypto (un)wrapping in separate functions 2010-03-22 21:49:39 -04:00
Matthias Dieter Wallnöfer
0c10703c75 s4:WINREG RPC - add also here a "W_ERROR_HAVE_NO_MEMORY" 2010-03-22 22:31:06 +01:00
Matthias Dieter Wallnöfer
43170dafbc s4:registry - adaptions for "add memory contexts for delete value/key functions" 2010-03-22 22:31:00 +01:00
Matthias Dieter Wallnöfer
2bbdb2cd34 s4:WINREG RPC server - don't check for the "name" size in "EnumValue"
This isn't needed at all since:
1.) a new name object is created and sent back to the client
2.) the "size" seems to be the size of the "name" pointer. On my test with the
    "regedt32" program this has always been "4".
2010-03-21 15:12:37 +01:00
Matthias Dieter Wallnöfer
811c601ae0 s4:WINREG RPC - we support only non-volatile keys 2010-03-21 14:30:45 +01:00
Matthias Dieter Wallnöfer
1cdeb0c0d2 s4:WINREG RPC - specify the performed create action for "CreateKey"
To make the WINREG RPC testsuite happy.
2010-03-21 14:03:58 +01:00
Günther Deschner
a5ad510fc4 s4-lsa: fix dcesrv_lsa_lsaRSetForestTrustInformation server stub.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
2010-03-16 15:12:19 +01:00
Simo Sorce
8353aa39b6 s4:idl change level to type in lsa_ForestTrustRecord. 2010-03-16 14:48:40 +01:00
Andrew Bartlett
2de07761e0 s4:dsdb Change dsdb_get_schema() callers to use new talloc argument
This choses an appropriate talloc context to attach the schema too,
long enough lived to ensure it does not go away before the operation
compleates.

Andrew Bartlett
2010-03-16 19:26:03 +11:00
Stefan Metzmacher
580d491faa s4:rpc_server/spoolss: make use of dcerpc_binding_handle stubs
metze
2010-03-12 15:25:50 +01:00
Günther Deschner
9e80fe6675 s4-winreg: continue processing in WERR_MORE_DATA case in dcesrv_winreg_QueryValue().
Matthias, please check.

Guenther
2010-03-11 20:17:48 +01:00
Stefan Metzmacher
b71bbbab8b s4:rpc_server/drsuapi: don't reset [out,ref] pointer to NULL in dcesrv_drsuapi_DsRemoveDSServer()
metze
2010-03-11 13:31:39 +01:00
Andrew Bartlett
5ed18fad00 s4/rpc_server Don't segfault over replPropertyMetaData contents
The replPropertyMetaData may contain attrid values that we don't yet
have in the local schema.  We need to deal with this - it is a serious
error, but we should not segfault.

Andrew Bartlett
2010-03-11 11:27:47 +11:00
Matthias Dieter Wallnöfer
5d10676b3b s4:winreg RPC - fix up the "QueryValue" call to work against the enhanced torture test
Found out by gd's updated torture test.
2010-03-10 19:49:25 +01:00
Stefan Metzmacher
bb1d81bab7 s4:rpc_server/wkssvc: don't reset [out,ref] pointer to 0
r->out.total_entries = 0; should be *r->out.total_entries = 0;

Otherwise we fail to marshall the reponse or crash if we run with
log level = 10 and trigger the ndr_print functions.

All out elements are already setup and initialized by the pidl generated code.

metze
2010-03-10 17:12:11 +01:00
Stefan Metzmacher
21326d48d7 s4:rpc_server/wkssvc: remove unneeded talloc_reference()
metze
2010-03-10 17:12:10 +01:00
Stefan Metzmacher
00ce349ad1 s4:rpc_server/wkssvc: avoid ZERO_STRUCT(r->out) and use already allocated [out,ref] memory
metze
2010-03-10 17:12:10 +01:00
Stefan Metzmacher
11a402afa8 s4:rpc_server/srvsvc: remove unused ZERO_STRUCT(r->out);
Here it doesn't matter, but it's a bad example for other code
as it might reset the [out,ref] pointers which are already
generated by the pidl generated code.

metze
2010-03-10 17:12:09 +01:00
Günther Deschner
eeb8c36326 s4-spoolss: remove unsed iconv handle from dcesrv_spoolss_GetPrinterData().
Guenther
2010-03-10 11:16:20 +01:00
Matthias Dieter Wallnöfer
eeb05bf746 s4:winreg RPC - don't crash when incoming data wasn't correctly specified
Also found by the WINREG torture test enhancements by gd.
2010-03-10 09:26:17 +01:00
Matthias Dieter Wallnöfer
9995a37a8c s4:netlogon RPC - "LogonGetDomainInfo" - make the call compatible with >= Windows 2008
Add more security checks and other corrections to imitate Windows Server >= 2008.
2010-03-09 17:18:46 +01:00
Matthias Dieter Wallnöfer
24049e8fc5 s4:lsa RPC - fix up "gendb_*" result codes
Make the resultcodes consistent: that means:
result < 0  -> NT_STATUS_INTERNAL_DB_CORRUPTION since our DB had a critical
               error
result >= 0 -> depends on the function usage. I tried to let the logic always as
               it was before.
2010-03-06 11:19:04 +01:00
Matthias Dieter Wallnöfer
a6cf89228f s4:lsa RPC - Change some counters to be "unsigned" where needed
The "count" size specifiers I typed "uint32_t" since they're often returned as
an "uint32_t" (consider the IDL file). LDB counters need to be "signed" if they
count till a limit of a "gendb*" call or "unsigned" if they count directly the
number of objects.
2010-03-06 11:04:35 +01:00
Matthias Dieter Wallnöfer
9442a5593d s4:samr RPC - Change some counters to be "unsigned" where needed
The "count" size specifiers I typed "uint32_t" since they're often returned as
an "uint32_t" (consider the IDL file). LDB counters need to be "signed" if they
count till a limit of a "gendb*" call or "unsigned" if they count directly the
number of objects.
2010-03-06 10:44:33 +01:00
Matthias Dieter Wallnöfer
f24dfbfb18 s4:drsuapi RPC - Change also here counters to "unsigned"
No need to have "signed" counters at those places.
2010-03-05 18:38:58 +01:00
Günther Deschner
91ff11d504 s4-spoolss: fix dcesrv_spoolss_GetPrinterData build.
really not my day today...

Guenther
2010-03-05 16:34:17 +01:00
Günther Deschner
8e499ec847 s4-spoolss: fix spoolss_GetPrinterData implementation after IDL change.
Guenther
2010-03-05 15:18:00 +01:00
Matthias Dieter Wallnöfer
ce296d2a53 s4:dcesrv_samr_AddAliasMember - wrap a long "DEBUG" statement 2010-03-05 15:01:07 +01:00
Matthias Dieter Wallnöfer
6a1a7ce9eb s4:srvsvc RPC - "srvsvc_create_ntvfs_connect"
Previous commit was incomplete. The "service" parameter in the "tcon" structure
should point to "scfg->name". I'm not sure if "share" is right but the first
was used before commit f390daef47.
2010-03-03 20:15:25 +01:00
Matthias Dieter Wallnöfer
9b4d208ce8 s4:srvsvc RPC - fix up the "ntvfs_connect" in "srvsvc_create_ntvfs_connect"
This should be the right fix (set the service name in the tcon union to the
share name/path). That should be the solution for bug #6784.
2010-03-03 18:43:23 +01:00
Matthias Dieter Wallnöfer
8d0fbfe987 s4:dcesrv_samr - Also "OpenGroup" needs to support universal groups 2010-03-03 17:15:31 +01:00
Matthias Dieter Wallnöfer
f92c28bf4e s4:dcesrv_samr - Fix up "EnumDomainGroups" and "QueryDisplayInfo" calls
We need to look for both global and universal group types when querying them.
Found by ekacnet (http://lists.samba.org/archive/samba-technical/2010-March/069777.html).
2010-03-03 17:15:31 +01:00
Matthias Dieter Wallnöfer
5c73ecd2b3 s4:echo RPC - make this one "signed-safe"
"i" needs to be unsigned here since it counts until "r->in.len" which itself is
unsigned and not signed.
2010-03-02 17:46:02 +01:00
Matthias Dieter Wallnöfer
05bd8c17be s4:srvsvc RPC - revert one unsigned integer "i" back to signed
This is needed since this particular "i" counts until "count" which itself is
signed. "count" is set through a signed integer variable parameter from the
"share_list_all" call.
2010-03-01 21:18:43 +01:00
Stefan Metzmacher
340bcf646b s4:rpc_server/remote: do async calls
metze
2010-03-01 18:45:20 +01:00
Matthias Dieter Wallnöfer
ff17d8ab1e s4:srvsvc RPC - make this one "signed-safe" 2010-03-01 18:45:20 +01:00
Matthias Dieter Wallnöfer
b963741aae s4:unixinfo RPC - make this one "signed-safe" 2010-03-01 18:45:20 +01:00
Matthias Dieter Wallnöfer
932a986a4f s4:spoolss RPC - make this one "signed-safe" 2010-03-01 18:45:19 +01:00
Matthias Dieter Wallnöfer
246742b30e s4:remote RPC - make this one "signed-safe" 2010-03-01 18:45:19 +01:00
Matthias Dieter Wallnöfer
c953b26241 s4:epmapper RPC - make this one "signed-safe" 2010-03-01 18:45:16 +01:00
Anatoliy Atanasov
b73437fbaa s4/rodc: Implement samdb_rodc with ldb context 2010-03-01 14:17:32 +02:00
Matthias Dieter Wallnöfer
e0e549a770 s4:dcesrv_samr.c - Remove unused variable 2010-02-26 11:54:45 +01:00
Simo Sorce
a7057e69c7 s4:lsa use the correct way to store a domain sid
Converting the sid to a string and then storing a string does not save the sid
in the right format. Causing following retrievals to fail to read back a sid
with samdb_result_dom_sid().
2010-02-24 18:35:48 -05:00
Simo Sorce
376fa0d66e s4:lsa avoid confusing ourselves over sam_ldb
Do not use policy_state->sam_ldb and trusted_domain_state->policy->sam_ldb
interchangeably all over the place. Just use sam_ldb everywhere and make the
code slightly more readable.
2010-02-24 18:35:48 -05:00
Simo Sorce
4930de5cd9 s4:lsa cleanup trailing spaces and tabs 2010-02-24 18:35:47 -05:00
Simo Sorce
f09802cfc8 s4:netlogon remove wrong ZERO_STRUCT of output
This was causing marshalling faults when we returned errors.
2010-02-24 11:04:09 -05:00
Simo Sorce
1203de99b1 s4:schannel merge code with s3
After looking at the s4 side of the (s)channel :) I found out that it makes
more sense to simply make it use the tdb based code than redo the same changes
done to s3 to simplify the interface.

Ldb is slow, to the point it needs haks to pre-open the db to speed it up, yet
that does not solve the lookup speed, with ldb it is always going to be slower.

Looking through the history it is evident that the schannel database doesn't
really need greate expanadability. And lookups are always done with a single
Key. This seem a perfet fit for tdb while ldb looks unnecessarily complicated.

The schannel database is not really a persistent one. It can be discared during
an upgrade without causing any real issue. all it contains is temproary session
data.
2010-02-23 12:46:50 -05:00
Simo Sorce
8e2f5fe7c5 s4:schannel more readable check logic
Make the initial schannel check logic more understandable.
Make it easy to define different policies depending on the caller's
security requirements (Integrity/Privacy/Both/None)

This is the same change applied to s3
2010-02-23 12:46:50 -05:00
Matthias Dieter Wallnöfer
4ef82accfe s4:netlogon RPC - fix the indentation
Simo, I'm not really sure that those checks are valid. I read MS-NRPC section
3.5.4.1 about LOGONSRV_HANDLEs ("server_name" is of this type). There isn't
stated that the server name has necessarily to be in the DNS form and should
also be valid when it's NULL (if DCE server and client are the same - I don't
know if me make use of it in s4).
2010-02-23 09:53:17 +01:00
Simo Sorce
d4b8be513c s4:netlogon GetTrustedDomainInformation
start implementing calls related to trusted domain information
2010-02-22 18:49:16 -05:00
Simo Sorce
dbcc7ad7e4 s4:netlogon fix segfault 2010-02-22 18:48:36 -05:00
Simo Sorce
73bfd9de5d s4:netlogon enhance DsrEnumerateDomainTrusts
Actually return trust relationships by searching the appropriate
entries in the SAM database.
Add checks and return the correct flags, type and attributes.
2010-02-21 17:00:23 -05:00
Simo Sorce
0679c77469 cleanup
remove trailing spaces, tabs and blank lines
2010-02-21 11:59:04 -05:00
Simo Sorce
da1970c0ff s4:lsa open trusted domain also with dns name
When searching for a trusted domain object to open, search also the DNS Name
attributes for a match. W2K8R2 uses the DNS domain if available.
2010-02-19 18:31:45 -05:00
Simo Sorce
c8a3c01585 remove trailing tabs and spaces 2010-02-19 18:31:45 -05:00
Simo Sorce
fff7750618 readability reformatting
stop this function from maiking my eyes bleed
2010-02-19 17:20:09 -05:00
Andrew Bartlett
f74ce57cb5 s4:rpc_server Add a 'if_version' parameter to the bind operation.
This allows the interface version to be forwarded to the remote server
in the RPC proxy, both in the endpoint lookup and the subsequent bind.

Andrew Bartlett
2010-02-20 02:55:29 +11:00
Andrew Bartlett
10fed057cd s4:rpc_server Record the remote connections association group ID
By recording the association group the remote server assigned to our
proxied RPC connection, we can ensure we use the same value when the
client wishes to use it.

This isn't stored in a private pointer, as mapiproxy will want to use
this feature too.

Andrew Bartlett
2010-02-19 16:32:49 +11:00
Andrew Tridgell
1e13d3fb07 s4-dcerpc: fixed auth padding to be relative to the stub, not packet
The recent dcerpc padding changes made our padding relative to the
packet header, instead of the start of the stub. Surprisingly, this
broke w2k8r2 doing a dcpromo join to a s4 server. It seems that w2k8r2
is very fussy about the padding it gets in some circumstances.
2010-02-16 21:10:52 +11:00
Andrew Tridgell
90203f87e7 s4-dsdb: change samdb_replace() to dsdb_replace() and allow for dsdb_flags
This allows for controls to be added easily where they are needed.
2010-02-16 21:10:50 +11:00
Andrew Tridgell
c6d85d67f9 s4-dsdb: replace dsdb_modify_permissive() with dsdb_modify() and dsdb_flags 2010-02-16 21:10:50 +11:00
Andrew Tridgell
05425fcf14 s4-drs: replace manual checks with dsdb_modify_permissive()
Much simpler to use the permissive control instead of manually munging
the SPN list.
2010-02-15 18:58:40 +11:00
Andrew Tridgell
2908f21c65 s4-drs: use a permissive modify in addentry
It is not an error if entries already exist.
2010-02-15 18:58:40 +11:00
Matthias Dieter Wallnöfer
05b6e3f4f4 s4:dcesrv_lsa.c - remove a superfluous empty line
One empty line is enough for code part divisions.
2010-02-14 10:48:13 +01:00
Andrew Tridgell
eb5fc899b0 s4-rpcserver: teach the rpc server to cope with bad sig_size estimates 2010-02-14 18:44:21 +11:00
Andrew Tridgell
259129e8f4 a4-dcerpc: another attempt at dcerpc auth padding
The last change broke net vampire against w2k8r2
2010-02-14 18:44:21 +11:00
Andrew Tridgell
da86f08605 s4-rpc: be more careful about DCERPC auth padding
Cope with a wider range of auth padding in dcerpc bind_ack and
alter_context packets. We now use a helper function that calculates
the right auth padding.
2010-02-13 23:12:29 +11:00
Andrew Tridgell
3ae75a4248 s4: use LDB_TYPESAFE_QSORT() instead of ldb_qsort() 2010-02-13 22:36:12 +11:00
Andrew Tridgell
f954f522a4 s4-rpcserver: use TYPESAFE_QSORT() in rpc servers 2010-02-13 22:36:12 +11:00
Kai Blin
ea055e8c79 s4: Switch to S3-style id mapping data types. 2010-02-11 23:56:35 +01:00
Kamen Mazdrashki
8823a549ca s4/drs: propagate DRS_ extension flags in code base 2010-02-05 10:51:57 +01:00
Michael Adam
fb4679638d s4:rpc-server:samr: fix setting of lockout duration < lockout window
This should return NT_STATUS_INVALID_PARAMETER.
This makes samba pass the first part of the samr-lockout test.

This constraint is documented here for the samr server:
http://msdn.microsoft.com/en-us/library/cc245667%28PROT.10%29.aspx
MS-SAMR 3.1.1.6 Attribute Constraints for Originating Updates

and here for the ldap backend:
http://msdn.microsoft.com/en-us/library/cc223462(PROT.10).aspx
MS-ADTS 3.1.1.5.3.2 Constraints

So the check should actually be moved down into the backend,
i.e. under dsdb/samdb/ldb_modules - TODO..

Michael
2010-01-21 13:01:24 +01:00
Andrew Tridgell
f461a72ec3 idl: switched to using the WSPP names for the 'neighbour' DRS options
The documentation shows that all these functions in fact use the same
flags variable type. To be consistent between functions, and to allow
easy reference to the WSPP docs, it is better for us to also use this
generic DrsOptions bitfield rather than one per operations.
2010-01-18 07:25:18 +11:00
Andrew Tridgell
dde836adbd s4-drs: allow for security bypass for DsReplicaGetInfo
Use --option=drs:disable_sec_check=true until the group membership bug
with the PAC is fixed.
2010-01-17 10:52:31 +11:00
Andrew Tridgell
8342d08f5c s4-dsdb: take advantage of local cursor and sort
in getncchanges and repl task we don't need the extra load and sort
any more.
2010-01-16 14:10:43 +11:00
Andrew Tridgell
0bba44094a s4-drs: use dsdb_load_udv_v2() in getncchanges code 2010-01-16 14:10:43 +11:00
Andrew Tridgell
3a9b33b487 s4-drs: better debug info when security checks fail
show the security token of the user at debug level 2
2010-01-16 14:10:42 +11:00
Andrew Tridgell
5efff3ad6a s4-dsdb: require admin access for DsReplicaGetInfo 2010-01-16 14:10:42 +11:00
Andrew Tridgell
5bfeed89da s4-drs: framework for DsGetReplInfo(), includes the DS_REPL_INFO_NEIGHBORS infoType.
This patch includes the framework for the implementation of all infoTypes of
the DsGetReplInfo() call, and includes the implementation for the first one,
the DS_REPL_INFO_NEIGHBORS.

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-01-16 14:10:42 +11:00
Andrew Tridgell
22d92157e3 s4-drs: give better debug info on unsupported DRS calls 2010-01-16 14:10:41 +11:00
Matthias Dieter Wallnöfer
40bc48dfa9 s4:SAMR RPC - Fix the criteria for group searches
This should match the MS-SAMR documentation (section 3.1.5.5.1.1)
2010-01-14 10:58:06 +01:00
Andrew Tridgell
2008d24e91 s4-drs: switch the DRS server to the generic DRS options flags 2010-01-14 15:37:59 +11:00
Andrew Tridgell
a894eeab77 s4-debug: lower the verbosity of a couple of common log messages 2010-01-09 21:59:34 +11:00
Andrew Tridgell
04e82370db s4-drs: base is_nc_prefix on instanceType
for extended operations comparing to the ncRoot_dn is not correct
2010-01-09 18:56:30 +11:00
Andrew Tridgell
67d8518f2c s4-drs: having no SPNs to change is not an error 2010-01-09 18:56:30 +11:00
Andrew Tridgell
ba745a4356 s4-drs: fixed writespn to ignore add/delete errors
When a SPN is added and already exists, it is ignored. Similarly, when
a SPN is deleted and doesn't exist, it is ignored.
2010-01-09 18:56:30 +11:00
Andrew Tridgell
acf33e0d58 s4-drs: moved the DsWriteAccountSpn call to its own file 2010-01-09 18:56:29 +11:00
Andrew Tridgell
1158c13861 s4-drs: need to set the getncchanges extended_ret on success too 2010-01-09 18:56:29 +11:00
Andrew Tridgell
39730ac302 s4-drs: be less verbose when we filter objects by UDV 2010-01-09 18:56:28 +11:00
Andrew Tridgell
349f7ba09c s4-drs: added filtering by udv in getncchanges
When a client supplied an uptodateness_vector, we can use it to filter
what objects we return. This greatly reduces the amount of replication
traffic between DCs.
2010-01-09 13:11:27 +11:00
Andrew Tridgell
9e6eb22f7f s4-drs: fixed the NC in the getncchanges RID alloc reply
the search happens on a different DN to the NC of the request, but the
reply is with the original NC
2010-01-09 10:15:14 +11:00
Andrew Tridgell
196cb6b359 s4-drs: fixed usage of ldb_dn_new() 2010-01-09 10:15:12 +11:00
Andrew Tridgell
8d87c0a0c3 s4-drs: added two more SPNs in addentry
w2k8r2 wants these after a DCPROMO

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-08 18:24:54 +11:00
Andrew Tridgell
5803253362 s4-drs: we need to wrap extended operations in transactions 2010-01-08 13:03:05 +11:00
Andrew Tridgell
ac5d426062 s4-drs: added some debug messages
It is nice to see when a RID Alloc is successful
2010-01-08 13:03:02 +11:00
Andrew Tridgell
f254091957 s4-dsdb: added support for DRSUAPI_EXOP_FSMO_RID_ALLOC
This allocates a RID pool for the client DC when we are the RID Manager

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-08 13:03:02 +11:00
Andrew Tridgell
e809b721e9 s4-drs: don't give an error on repsTo delete if add is also specified
w2k8-r2 in dcpromo asks for a delete+add during its initial join.
2010-01-02 17:28:35 +11:00
Andrew Tridgell
00b39c70f5 s4-dsdb: switched to using RMD_FLAGS instead of DELETED in extended DNs
This allows for more flags in the future
2010-01-02 08:16:57 +11:00
Andrew Tridgell
e3cf818c27 s4-drs: sort linked attributes
See MS-DRSR section 4.1.10.5.17 for a description of the sorting
comparison function
2010-01-02 08:16:55 +11:00
Andrew Tridgell
38160deac4 s4-drs: use dsdb linked attribute parse functions
This makes the code considerably more readable
2010-01-02 08:16:54 +11:00
Andrew Tridgell
a81dd03917 s4-drs: set flag to indicate that we do support linked attributes 2010-01-02 08:16:54 +11:00
Andrew Tridgell
0c2afdd5a9 s4-drs: update highwatermark after successfully encoding the object 2010-01-02 08:16:52 +11:00
Andrew Tridgell
ff6dd4a67f s4-drs: send all linked attributes at the end of a replication cycle
This ensures that a link is not seen before the object it points to
2010-01-02 08:16:52 +11:00
Andrew Tridgell
5bf257fa9b s4-drs: use the extended linearized form for DRS replication
We were sending zero GUIDs. Not good!

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-02 08:16:52 +11:00
Andrew Tridgell
7653f56bd4 s4-drs: implemented sorting functions based on replication flags
I think we probably have more work to do on the sort order, but this
brings us a bit closer.
2010-01-02 08:16:52 +11:00
Andrew Tridgell
701148bbe9 s4-drs: we are doing the sorting for getncchanges in the app code now
the sorting is quite delicate, and easier to get right in the
getncchanges code

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-02 08:16:52 +11:00
Andrew Tridgell
cb00e443a3 s4-drs: give a reason when an AddEntry commit fails
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-02 08:16:52 +11:00
Andrew Tridgell
340d7e807b s4-drs: fixed the UDV return in getncchanges
We should overwrite an existing entry if found
2010-01-02 08:16:51 +11:00
Andrew Tridgell
bcc952d19d s4-drs: some useful debugging options for getncchanges
Added two debugging parametric options

  drs:max object sync = 
  drs:extra filter =
2010-01-02 08:16:51 +11:00
Andrew Tridgell
225bcfa4e6 s4-drs: handle mixtures of old and new style links in getncchanges
We need to send non-upgraded links using the old format
2010-01-02 08:16:51 +11:00
Andrew Tridgell
fde3f64373 s4-drs: added linked attribute replication to getncchanges 2010-01-02 08:16:50 +11:00
Andrew Tridgell
beba977213 s4-dsdb: ask for REVEAL_INTERNALS in getncchanges
We need this for the linked attribute meta data
2010-01-02 08:16:50 +11:00
Matthias Dieter Wallnöfer
e22e336f41 s4:drsuapi/getncchanges.c - Update the list of operational attributes
- Reorder them as specified in "operational.c"
- Add also the lan manager hash password attribute
2009-12-16 09:45:22 +01:00
Andrew Tridgell
732c701c52 s4-drs: ensure we fill in ncRoot_dn in getncchanges
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2009-12-09 18:18:26 +11:00
Andrew Tridgell
16eb25b35b s4-drs: use parentGUID attribute in getncchanges
Now that parentGUID is reliable again, use it instead
of building our own

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2009-12-09 18:18:25 +11:00
Andrew Tridgell
ced3eef776 s4-drsutil: fixed a memory leak in samdb_search_count
In general functions that don't return any memory should not take a memory context.
Otherwise it is too easy to have a bug like this where memory is leaked
2009-12-04 17:49:19 +11:00
Andrew Tridgell
8d7a43fed7 s4-drs: fixed UDV and overlapping sync calls in DRS
When windows abandons a DRS sync, it will sometimes re-use the same bind handle for
a new sync. This means we need to check the DN of the sync and blank the getnc_state
if the DN has changed.

This also fixes the UDV to use the highest uSN for the partition, not for
the whole SAM.
2009-12-03 10:27:59 +11:00
Matthias Dieter Wallnöfer
f7c28db475 s4:WINREG RPC server - add another "talloc_unlink" in "DeleteKey"
Also here we waste memory - therefore free the pointless handle after the delete.
2009-11-27 23:23:32 +01:00
Matthias Dieter Wallnöfer
6f7cfb0e10 s4:WINREG RPC server - Reintroduce the free operation on "CloseKey"
Better use "talloc_unlink" here Since we could have more than one reference.
2009-11-27 23:23:31 +01:00
Matthias Dieter Wallnöfer
9e852a1759 Revert "s4-netlogon: always set the dNSHostName in GetDomainInfo"
This reverts commit 87b6f2e863.

This was the cause of the breakage of the "LogonGetDomainInfo" testsuite. I
think my behaviour is more correct to Windows Server since the test works
against it (at least release 2003 R2).

One problem I discovered is that freshly joined workstations don't get their
DNS name into the directory. Therefore I think also another part (maybe another
RPC call) is able to do this.
2009-11-24 20:30:07 +01:00
Matthias Dieter Wallnöfer
03b6e6e525 s4:netlogon RPC - Remove trailing whitespace 2009-11-22 15:54:16 +01:00
Matthias Dieter Wallnöfer
8b345ef19e s4:netlogon RPC - Fix up the error handling 2009-11-22 15:51:18 +01:00
Matthias Dieter Wallnöfer
1fb28b0204 s4:netlogon RPC - Fix up a comment
Now we have Windows 7 released so don't refer to a beta anymore.
2009-11-22 15:50:36 +01:00
Matthias Dieter Wallnöfer
ae1e949810 s4:lsa RPC - Fix type of variable "atype"
This is an unsigned 32bit integer.
2009-11-21 19:53:37 +01:00
Matthias Dieter Wallnöfer
7d5367fc99 s4:samr RPC - Use more LDB constants 2009-11-21 19:53:37 +01:00