IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Also tidied up some of Richard's code (I don't think he uses the compiler
flags -g -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual like
I do :-) :-).
Jeremy.
The work here includes:
- metze' set/changed patch, which avoids making changes to ldap on unmodified
attributes.
- volker's group mapping in passdb patch
- volker's samsync stuff
- volkers SAMR changes.
- mezte's connection caching patch
- my recent changes (fix magic root check, ldap ssl)
Andrew Bartlett
offset is zero. Previously we were jumping to the start of the
parse buffer (i.e offset zero) and reading string data until we hit
a terminating NULL.
Test case: in a PRINTER_INFO_0 structure, the servername field may be
NULL when doing an enumprinters with flags = PRINTER_ENUM_LOCAL.
The actual design change is relitivly small however:
It all goes back to jerry's 'BOOL store', added to many of the elements in a
SAM_ACCOUNT. This ensured that smb.conf defaults did not get 'fixed' into
ldap. This was a great win for admins, and this patch follows in the same way.
This patch extends the concept - we don't store values back into LDAP unless
they have been changed. So if we read a value, but don't update it, or we
read a value, find it's not there and use a default, we will not update
ldap with that value. This reduced clutter in our LDAP DB, and makes it
easier to change defaults later on.
Metze's particular problem was that when we 'write back' an unchanged value,
we would clear any muliple values in that feild. Now he can still have his
mulitivalued 'uid' feild, without Samba changing it for *every* other
operation.
This also applies to many other attributes, and helps to eliminate a nasty
race condition. (Time between get and set)
This patch is big, and needs more testing, but metze has tested usrmgr, and
I've fixed some pdbedit bugs, and tested domain joins, so it isn't compleatly
flawed ;-).
The same system will be introduced into the SAM code shortly, but this fixes
bugs that people were coming across in production uses of Samba 3.0/HEAD, hence
it's inclusion here.
Andrew Bartlett
better job of working with usrmgr. Previously we were blanking out entires,
and all sort of mischif.
The new patch (which I've now had a chance to test/modify) also takes care not
to expand % values (ie we go \\%L\%U -> \\server\user, we don't want to store
\\server\user back) and to correctly notice 'not set' compared to 'null string'
etc.
Andrew Bartlett
- getprinterdataex(), setprinterdataex(), enumprinterdataex()
Pass data type down to setprinterdata() fn instead of hardcoding REG_SZ.
Did some trickyness to get enumprinterdataex replies unmarshalled
properly. The code seems to have been written to require the number
of entries returned before unpacking said entries. Skip to the end of
the response and read the number of entries then jump back and process
the printer data.
smb_io_chal() did a prs_align() but a challenge is an array of bytes.
and all code calling smb_io_chal() played with the alignment to not align !
I'm confident in my change, but I would *really* like if jeremy could look
at that.
J.F.
- SAM_DELTA_RENAME{USER,GROUP,ALIAS}
- SAM_DELTA_DELETE{USER,GROUP}
Renamed some of the unknown delta types and their unmarshalling functions:
- SAM_DELTA_TRUST_DOMS
- SAM_DELTA_SECRET_INFO
before the swap from NT_PRINTER_PARAM to REGISTRY_VALUE.
* XxxPrinterDataEx() functions have not been expanded to support
keys other than SPOOL_PRINTERDATA_KEY yet
* fixed apparent long standing bug regarding the dependentfiles
list in the DRIVER_INFO struct
* removed support for PHANTOM_DEVMODE printer data
* s/NT_PRINTER_PARAM/REGISTRY_VALUE/g - This was a good bit
of work. Everything seems stable, but is not complete.
* support for printer data keys other than PrinterDriverData
in the store and fetch routines. Still needs to be plugged
into the XxxPrinterDataEx() calls.
Tested against NT4.0 & 2k. Like I said, it's not done, but doesn't
crash so it shouldn't upset anyone (unless you're trying to build
a Samba printer server off of HEAD). More work to come. Should
settle by Monday.
jerry
This updates the 'winbind' authentication module and winbind's 'PAM' (actually
netlogon) code to allow smbd to cache connections to the DC.
This is particulary relevent when we need mutex locks already - there is no
parallelism to be gained anyway.
The winbind code authenticates the user, and if successful, passes back the
'info3' struct describing the user. smbd then interprets that in exactly the
same way as an 'ntdomain' logon.
Also, add parinoia to winbind about null termination.
Andrew Bartlett
is. I'm calling it REG_SAVE_KEY, because 2k preps a regedt32.exe
Registry->Save Key with this call.
Done in the process of tracking down a PrinterDriverData issue.
converting the first character of the unicode string., See convert_string()
for why. uniarray_2_dosarray() passes 0 for the src length now which works.
to the Samba tree.
Originally written by Nigel Williams" <nigel@veritas.com>, I've been
trying to keep it in some form of shape for the last 6 months. In particular
I think some of the code got committed a few months ago, and others have made
changes to the CVS version over time.
anyway, its finally in - and doesn't appear to have broken anything.
Now to try the client-side patches :-)
Andrew Bartlett
* normalize all registry key strings before storing or looking
up paths in the registry tdb
* return the current buffer size for REG_INFO even when not returning
actual data
* fix a segfault report by metze on #samba-technical so that the
user/group object picker works again (was the "ProductType" key
lookup that was failing).
* added REG_OPEN_HKCR for supporting regedit.exe
* All data n a REGISTRY_VALUE is stored to a pointer now
* fixed REG_INFO to correctly display data when double clicking on
and entry in the registry editor
* Will now enumerate installed driver_info_3 data
* fixed numerous bugs related to pointer offsets, memory issues, etc..
in the registry routines
* added a simple caching mechanism to fetch_reg_[keys|values]_specific()
All that is left now is to enumerate PrinterData and I will have finished
what I started out to do....
is not and [in/out] buffer
* registry value enumeration is working now for the Print\Forms
key. The format of the binary data is not quite right yet
but all installed forms are listed
security descriptors. We need to calculate the maximum offset and set the offset
back after reading/writing every field in the SEC_DESC.
This was *nasty* to find....
Jeremy.
the 'user cannot change password' button work. Needs help from a future SAM
backend, but at least this parses the data, and returns an error.
Andrew Bartlett
via regedt32.exe. The regsitry.tdb is only a framework. It is not
intended to store values, only key/subkey structure. The data
will be retrieved from nt*tdb (for printers) creating a virtual view
of the data.
You can currently connect to a Samba box using regedt32.exe (haven't
tried regedit.exe). Some basic keys are created in registry.tdb
for use.
There are two problems....
* something is getting freed in the winreg code that causes heap
corruption later on. As long as you don't play with the winreg
server functionality, I don't think you'll be bitten by this.
* no access controls are currently implemented
* I can't browse HKLM because regedt32 greys out the SYSTEM subkey.
ok so that was three....
*.o) and implment new enum_dom_users code in the SAMR RPC subsystem.
Incresingly, we are using the pdb_get_{user,group}_sid() functions, in the
eventual hope that we might one day support muliple domains off a single
passdb. To extract the RID, we use sid_peek_check_rid(), and supply an
'expected' domain SID.
The id21 -> SAM_ACCOUNT and id23 -> SAM_ACCOUNT code has been moved to
srv_samr_util.c, to ease linking in passdb users.
Compatiblity code that uses 'get_global_sam_sid()' for the 'expected' sid is in
pdb_compat.c
Andrew Bartlett
Tim, please check the prs_align() removed from sec_io_desc()
and make sure it doesn't break anything else. I know it is
right for the printing needs and I have tested some other
general things like viewing acls on directories, but I would
feel more comfortable if you would have a look as well.
jerry
cleanup some of the code in net_rpc_join re const warnings and
fstrings.
Passdb:
Make the %u and %U substituions in passdb work.
This is done by declaring these paramters to be 'const' and doing
the substitution manually. I'm told this is us going full circle,
but I can't really see a better way.
Finally these things actually seem to work properly...
Make the lanman code use the pdb's recorded values for homedir etc
rather than the values from lp_*()
Add code to set the plaintext password in the passdb, where it can
decide how to store/set it. For use with a future 'ldap password
change' option, or somthing like that...
Add pdb_unix, so as to remove the 'not in passdb' special cases from the
local_lookup_*() code. Quite small, as it uses the new 'struct passwd ->
SAM_ACCOUNT' code that is now in just one place. (also used by pdb_smbpasswd)
Other:
Fix up the adding of [homes] at session setup time to actually pass
the right string, that is the unix homedir, not the UNC path.
Fix up [homes] so that for winbind users is picks the correct name.
(bad interactions with the default domain code previously)
Change the rpc_server/srv_lsa_nt.c code to match NT when for the
SATUS_NONE_MAPPED reply: This was only being triggered on
no queries, now it is on the 'no mappings' (ie all mappings failed).
Checked against Win2k.
Policy Question: Should SID -> unix_user.234/unix_group.364 be
considered a mapping or not? Currently it isn't.
Andrew Bartlett
than a unistr2. Printer data isn't necessarily in unistr format.
Tallocate memory to hold returned data when unmarshalling getprinterdata
and enumprinterdata replies.
<mimir@diament.ists.pwr.wroc.pl>) this patch allows samba to correctly
enumerate its trusted domains - by exaimining the keys in the secrets.tdb file.
This patch has been tested with both NT4 and rpcclient/wbinfo, and adds
some extra functionality to talloc and rpc_parse to allow it to deal with
already unicode strings.
Finally, this cleans up some const warnings that were in net_rpc.c by pushing
another dash of const into the rpc client code.
Andrew Bartlett
on a 2 byte boundary. We then miss-parse the desired_access. Also added
other fixes to ensure we align after private data (discussed with Gerry).
Jeremy.
in the reverse).
* add in new printer change notify code from SAMBA_2_2
* add in se_map_standard() from 2.2 in _spoolss_open_printer_ex()
* sync up the _print_queue_struct in smb.h (why did someone change the
user/file names in fs_user/fs_file (or vice-versa) ? )
* sync up some cli_spoolss_XXX functions
<a.kotovich@sam-solutions.net> that adds the security decsriptor code
for ADS workstation accounts
thanks for your patience Cat, and thanks to Andrew Bartlett for
extensive reviews and suggestions about this code.
I'm pretty sure that the useless_ptr in spoolss_io_q_setform() needs to be
initialised to 1 otherwise the form isn't marshalled at all. JF, can you
verify this? If so then this probably applies to the io functions for
setform and deleteform.
winbind default domains, particulary now I understand whats going on a lot
better. This ensures that the RPC client code does as little 'magic' as
possible - this is up to the application/user. (Where - for to name->sid code
- it was all along). This leaves the change that allows the sid->name code to
return domains and usernames in seperate paramaters.
Andrew Bartlett
calls from rpc_parse/parse_net.c - instead these values are passed as a
paramater.
Unfortunetly some there is still some samr work to be done before this is
actually useful.
Andrew Bartlett
smbd, and also makes it much cleaner inside winbindd.
It is mostly my code, with a few changes and testing performed by Alexander
Bokovoy <a.bokovoy@sam-solutions.net>. ab has tested it in security=domain and
security=ads, but more testing is always appricatiated.
The idea is that we no longer cart around a 'domain\user' string, we keep them
seperate until the last moment - when we push that string into a pwent on onto
the socket.
This removes the need to be constantly parsing that string - the domain prefix
is almost always already provided, (only a couple of functions actually changed
arguments in all this).
Some consequential changes to the RPC client code, to stop it concatonating the
two strings (it now passes them both back as params).
I havn't changed the cache code, however the usernames will no longer have a
double domain prefix in the key string. The actual structures are unchanged
- but the meaning of 'username' in the 'rid' will have changed. (The cache is
invalidated at startup, so on-disk formats are not an issue here).
Andrew Bartlett
calculate them and always reply a size of 32 bytes whereas NT4 did the
maths. Anyway, it looks like the clients don't complain.
in query_dom_info() at level 2, return the real number of users and
groups. That's the fix to the W95/98 userlist bug !
as W95/98 does a query_dom_info(2) followed by a query_disp_info(4) on
the SAME context handle (err we call it an lsa policy handle ! plain
wrong name), I was tempted to keep the snapshoot in memory, to prevent
2 full user db enumerations in a row and just have one shared. But if some
client does the 2 calls on two different handles, we would have 2 copies
in memory not free'ed before the samr_close().
We still have too many fixed constant and too many magic values in that
code. And btw, I really hates how the sequence number is generated !
J.F.
instead of enumerating the whole user db or group db every time, we store
a in memory copy linked to the handle.
that's much faster for large enumeration where the db can't fit in a
single rpc packet. And as it's a copy, it's constant between enumeration.
still some stuff to clean. But now I can fix the W95 userlist bug, as I've
finally found it.
J.F.
some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the
length fields are not correct but that's what NT send. We don't anymore
underflow or overflow the decoding.
added the domain admins group to the default SD.
we are now checking the desired access flag in the lsa_open_policy_X()
calls and in most functions also.
J.F.
Made a note about NOTIFY_OPTION_TYPE and NOTIFY_OPTION_TYPE_DATA - they are
actually one structure. The latter is just the deferred referrant of the
former.
It's just to keep usermanager happy ;-)
clean up a bit samr_query_aliasinfo to return the group description
added: samr_del_aliasmem, samr_del_groupmem and samr_del_domuser
with the correct scripts, you can now entirely manage the users from
usermanager ! Closer to full PDC every day ;-)
J.F.
rpc. This was supposed to fix a printer driver download bug but it didn't
but it seemed a shame to trash all this code so I'm commiting it #ifdef'ed
out in case someone needs it one day.
- removed the ugly as hell sam_logon_in_ssb variable, I changed a bit the
definition of standard_sub_basic() to cope with that.
- removed the smb.conf: 'domain admin group' and 'domain guest group'
parameters ! We're not playing anymore with the user's group RIDs !
- in get_domain_user_groups(), if the user's gid is a group, put it first
in the group RID list.
I just have to write an HOWTO now ;-)
J.F.
This moves the rest of the functionality into the 'net rpc join' code.
Futhermore, this moves that entire area over to the libsmb codebase, rather
than the crufty old rpc_client stuff.
I have also fixed up the smbpasswd -a -m bug in the process.
We also have a new 'net rpc changetrustpw' that can be called from a
cron-job to regularly change the trust account password, for sites
that run winbind but not smbd.
With a little more work, we can kill rpc_client from smbd entirly!
(It is mostly the domain auth stuff - which I can rework - and the
spoolss stuff that sombody else will need to look over).
Andrew Bartlett
You can change them with either usermanager->policies->account
or from a command prompt on NT/W2K: net accounts /domain
we can add a rpc accounts to the net command. As the net_rpc.c is still
empty, I did not start. How should I add command to it ? Should I take the
rpcclient/cmd_xxx functions and call them from there ?
alse changed the SAM_UNK_INFO_3 parser, it's an NTTIME. This one is more
for jeremy ;-)
J.F.
This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It
makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP
struct as some privilege showing in USRMGR.EXE are not real privs but a
bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT
3.1 box to verify, but I'm too lazy (yes I still have my CDs).
Added 3 more LSA calls: SetSystemAccount, AddPrivileges and
RemovePrivileges, we can manage all this privilege from UserManager.
Time to change the NT_USER_TOKEN struct and add checks in all the rpc
functions. Fun, fun, fun.
J.F.
We now get the full account policy window in usermanager, and the
framework to store all those values. I plan to add a TDB file to store
them.
oh, and found that the last value in a sam_unknown_info_12_inf struct is
an uint16 and not a uint32.
andrewb: you hardcoded the MAX_PASSWORD_AGE to 21 days. We can now turn it
to a value setable in usermanager.
J.F.
an array of uint32. That's not perfect but that's better.
Added more privileges too.
Changed the local_lookup_rid/name functions in passdb.c to check if the
group is mapped. Makes the LSA rpc calls return correct groups
Corrected the return code in the LSA server code enum_sids.
Only enumerate well known aliases if they are mapped to real unix groups.
Won't confuse user seeing groups not available.
Added a short/long view to smbgroupedit.
now decoding rpc calls to add/remove privileges to sid.
J.F.
discovered that our reply is short by 4 bytes since day 1 of this code.
Added a decode function to rpcclient too.
splitted the STRING2 fields filling while trying to understand the win9x
userlist bug. (didn't fix the bug, but the reply looks closer to NT).
J.F.
Andrew, this fixes domain logons in head. Please look at the change,
as I think you may have misunderstood the max_str_len field (which is
badly named)
Zero out some of the plaintext passwords for paranoia
Fix up some of the other passdb backends with the change to *uid_t rather than
uid_t.
Make some of the code in srv_netlog_nt.c clearer, is passing an array around,
so pass its lenght in is definition, not as a seperate paramater.
Use sizeof() rather than magic numbers, it makes things easier to read.
Cope with a PAM authenticated user who is not in /etc/passwd - currently by
saying NO_SUCH_USER, but this can change in future.
Andrew Bartlett
code.
In particular this assists tpot in some of his work, becouse it provides the
connection between the authenticaion and the vuid generation.
Major Changes:
- Fully malloc'ed structures.
- Massive rework of the code so that all structures are made and destroyed
using malloc and free, rather than hanging around on the stack.
- SAM_ACCOUNT unix uids and gids are now pointers to the same, to allow them
to be declared 'invalid' without the chance that people might get ROOT by
default.
- kill off some of the "DOMAIN\user" lookups. These can be readded at a more
appropriate place (probably domain_client_validate.c) in the future. They
don't belong in session setups.
- Massive introduction of DATA_BLOB structures, particularly for passwords.
- Use NTLMSSP flags to tell the backend what its getting, rather than magic
lenghths.
- Fix winbind back up again, but tpot is redoing this soon anyway.
- Abstract much of the work in srv_netlog_nt back into auth helper functions.
This is a LARGE change, and any assistance is testing it is appriciated.
Domain logons are still broken (as far as I can tell) but other functionality
seems
intact.
Needs testing with a wide variety of MS clients.
Andrew Bartlett
of the lm challenge/response header in the NET_ID_INFO_2 structure included
in a network logon request. It seems Windows 2000 is the only OS that
cares about this.
In particular this commit focuses on:
Actually adding the 'const' to the passdb interface, and the flow-on changes.
Also kill off the 'disp_info' stuff, as its no longer used.
While these changes have been mildly tested, and are pretty small, any
assistance in this is appreciated.
----
These changes introduces a large dose of 'const' to the Samba tree.
There are a number of good reasons to do this:
- I want to allow the SAM_ACCOUNT structure to move from wasteful
pstrings and fstrings to allocated strings. We can't do that if
people are modifying these outputs, as they may well make
assumptions about getting pstrings and fstrings
- I want --with-pam_smbpass to compile with a slightly sane
volume of warnings, currently its pretty bad, even in 2.2
where is compiles at all.
- Tridge assures me that he no longer opposes 'const religion'
based on the ability to #define const the problem away.
- Changed Get_Pwnam(x,y) into two variants (so that the const
parameter can work correctly): - Get_Pwnam(const x) and
Get_Pwnam_Modify(x).
- Reworked smbd/chgpasswd.c to work with these mods, passing
around a 'struct passwd' rather than the modified username
---
This finishes this line of commits off, your tree should now compile again :-)
Andrew Bartlett
