1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-12 09:18:10 +03:00
Commit Graph

847 Commits

Author SHA1 Message Date
Jeremy Allison
93ca3eee55 r15129: Separate out mechanism and policy for NTLMSSP auth/sign/seal.
With this change (and setting lanman auth = no in smb.conf)
we have *identical* NTLMSSP flags to W2K3 in SPNEGO auth.
Jeremy
2007-10-10 11:16:25 -05:00
Günther Deschner
0fed66926f r15041: Adding rpc client calls to manipulate auditing policies on remote CIFS
servers. Also add a new "net rpc audit" tool. The lsa query infolevels
were taken from samb4 IDL, the lsa policy flags and categories are
partly documented on msdn. I need to cleanup the double
lsa_query_info_policy{2}{_new} calls next.

Guenther
2007-10-10 11:15:59 -05:00
Jeremy Allison
f88f2d9368 r14784: Fix coverity bug #274. Null deref.
Jeremy.
2007-10-10 11:15:48 -05:00
Jeremy Allison
c2636c1026 r14782: Fix coverity bug #273, null deref.
Jeremy.
2007-10-10 11:15:48 -05:00
Günther Deschner
38b18f428b r14643: Merge dcerpc_errstr from Samba 4.
Might need to rework prs_dcerpc_status().

Guenther
2007-10-10 11:15:41 -05:00
Günther Deschner
afc519530f r14585: Tighten argument list of kerberos_kinit_password again,
kerberos_kinit_password_ext provides access to more options.

Guenther
2007-10-10 11:15:38 -05:00
Gerald Carter
e49ca3af8c r14449: fix the build (sorry everyone) 2007-10-10 11:15:30 -05:00
Gerald Carter
a36529535d r14448: * protect against NULL cli_state* pointers in cli_rpc_pipe_open()
* Fix inverted logic check for machine accounts in get_md4pw()
2007-10-10 11:15:30 -05:00
Volker Lendecke
f2a24b63e3 r14244: Okay, had not seen that this happened twice.
Fix Coverity bug # 142.

Volker
2007-10-10 11:15:20 -05:00
Volker Lendecke
5a0087e636 r14243: Fix Coverity bug # 143 2007-10-10 11:15:20 -05:00
Jeremy Allison
6b44841592 r14121: We never pass NULL to the rpc_api_pipe fn so don't
trigger coverity checks by testing for NULL.
Jeremy.
2007-10-10 11:11:13 -05:00
Volker Lendecke
598513d1d3 r13958: Fix Coverity Bug # 141 2007-10-10 11:11:01 -05:00
Günther Deschner
0ae3fddf95 r13864: Some cleanup and the samr set security object function client-side.
Guenther
2007-10-10 11:10:57 -05:00
Jeremy Allison
00f8b4e1aa r13722: Ensure we use the correct enumerated type. Bug #3558
from jason@ncac.gwu.edu.
Jeremy.
2007-10-10 11:10:50 -05:00
Günther Deschner
5b89e8bc24 r13711: * Correctly handle acb_info/acct_flags as uint32 not as uint16.
* Fix a couple of related parsing issues.
* in the info3 reply in a samlogon, return the ACB-flags (instead of
  returning zero)

Guenther
2007-10-10 11:10:25 -05:00
Jeremy Allison
68005f6bdb r13641: Finish fix for #3510. Don't use client schannel when told
not to, cope with a server that doesn't offer schannel also.
Jeremy
2007-10-10 11:10:20 -05:00
Günther Deschner
c201e51de3 r13639: Never overwrite the acct_flags in rpccli_netlogon_sam_network_logon().
Guenther
2007-10-10 11:10:20 -05:00
Jeremy Allison
a2fb436fc5 r13539: Add 128 bit creds processing client and server. Thanks to Andrew Bartlett's
Samba4 code.
Jeremy.
2007-10-10 11:10:11 -05:00
Günther Deschner
290a581b75 r13522: Add SAMR_GET_USRDOM_PWINFO client-side.
Guenther
2007-10-10 11:10:09 -05:00
Jeremy Allison
e8e2fc79b4 r13475: Fix erroneous initialization caused by my renaming types.
Jeremy.
2007-10-10 11:10:05 -05:00
Günther Deschner
d27771ca1d r13451: Fix build warning.
Guenther
2007-10-10 11:10:04 -05:00
Günther Deschner
f60eddc0a4 r13442: Implement samr_chgpasswd_user3 server-side.
Guenther
2007-10-10 11:10:03 -05:00
Volker Lendecke
fc73690a70 r13350: Implement rpccli_samr_set_domain_info. Weird that it was not around :-)
Implement 'net rpc shell account' -- An editor for account policies

nt_time_to_unix_abs changed its argument which to me seems wrong, and I could
not find a caller that depends on this. So I changed it. Applied some more
const in time.c.

Volker
2007-10-10 11:06:26 -05:00
Gerald Carter
17e63ac4ed r13316: Let the carnage begin....
Sync with trunk as off r13315
2007-10-10 11:06:23 -05:00
Günther Deschner
eaaeaa767e r12853: Fix segfault in "net rpc vampire|samdump" (Bugzilla #3390).
The session key, after beeing set, was zeroed later on by the prs_init
in the CLI_DO_RPC macro.

Guenther
2007-10-10 11:06:04 -05:00
Jeremy Allison
5cab88f144 r12275: Fix memory leak found by Mikhail Kshevetskiy <kl@laska.dorms.spbu.ru>
and followed up by derrell@samba.org.
Jeremy.
2007-10-10 11:05:51 -05:00
Derrell Lipman
6c04a8f9ad r12236: r11740@cabra: derrell | 2005-12-14 13:16:58 -0500
check in the DEBUG message referenced in the previous commit
2007-10-10 11:05:50 -05:00
Derrell Lipman
62a02b8f2a r12225: r11729@cabra: derrell | 2005-12-13 22:59:45 -0500
1. Fix a crash bug which should have reared its ugly head ages ago, but for
    some reason, remained dormant until recently.  The bug pertained to
    libsmbclient doing a structure assignment of a cli after having opened a
    pipe.  The pipe open code makes a copy of the cli pointer that was passed
    to it.  If the cli is later copied (and that cli pointer that was saved
    is no longer valid), the pipe code will cause a crash during shutdown or
    when the copied cli is closed.

 2. The 'type' field in enumerated shares was not being set correctly with
    the new RPC-based mechanism for enumerating shares.
2007-10-10 11:05:50 -05:00
Günther Deschner
1fa8039397 r12106: Fix return value
Guenther
2007-10-10 11:05:45 -05:00
Günther Deschner
0705fed566 r11963: add rpccli_samr_chgpasswd3 from samba4.
Guenther
2007-10-10 11:05:40 -05:00
Günther Deschner
8609484ff6 r11854: Remove unused DOM_SID.
Guenther
2007-10-10 11:05:30 -05:00
Günther Deschner
c54430a7b5 r11853: Add Dsr_GetSiteName (handy for experimenting with GPOs).
Guenther
2007-10-10 11:05:30 -05:00
Günther Deschner
a8bc4bc902 r11852: Fill in samr_get_dom_pwinfo based on Samba4.
Guenther
2007-10-10 11:05:30 -05:00
Volker Lendecke
62d01ce7e6 r11706: Implement dsr_getdcname client code. It's handy: It not only gives you the IP
address but also the fqdn of the remote dc and site info.

Volker
2007-10-10 11:05:24 -05:00
Jeremy Allison
d1caef8663 r11573: Adding Andrew Bartlett's patch to make machine account
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes
the auth module interface to 2 (from 1). The effect of this is
that clients can access resources as a machine account if they
set these flags. This is the same as Windows (think of a VPN
where the vpn client authenticates itself to a VPN server
using machine account credentials - the vpn server checks
that the machine password was valid by performing a machine
account check with the PDC in the same was as it would a
user account check. I may add in a restriction (parameter)
to allow this behaviour to be turned off (as it was previously).
That may be on by default.
Andrew Bartlett please review this change carefully.
Jeremy.
2007-10-10 11:05:20 -05:00
Jeremy Allison
37e6ef9389 r11492: Fix bug #3224 (I hope). Correctly use machine_account_name
and client_name when doing netlogon credential setup.
Jeremy.
2007-10-10 11:05:18 -05:00
Jeremy Allison
3ba5d02cff r11491: If we get a reject ensure we're printing out the server/domain/machine
a/c we were asking for.
Jeremy.
2007-10-10 11:05:18 -05:00
Jeremy Allison
762fff4ddb r11443: Fix error code returns on client spoolss code. Fix them
up a *lot*.
Jeremy.
2007-10-10 11:05:16 -05:00
Jeremy Allison
aeca4efa11 r11338: Move knowledge of \\ needed into rpc_client/cli_netlogon
(this is the way it's been done in other functions). Instead
of moving this into the IDL, I think the best solution would
be to write a wrapper function around any call that needs
this (this is what we already do for many of the calls).
Jeremy.
2007-10-10 11:05:13 -05:00
Jeremy Allison
f313757e36 r11336: Start to get my control back :-). Volker, I think
Andrew Bartlett is right - making lsa code do it the
netlogon way, not vica-versa.
Jeremy.
2007-10-10 11:05:13 -05:00
Volker Lendecke
8d7713431e r11320: Fix error handling for rpccli_netlogon_getdcname. Jeremy, the other functions
in cli_netlogon look similarly suspicious.

Volker
2007-10-10 11:05:11 -05:00
Jeremy Allison
d720867a78 r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4
x86_64 box.
Jeremy.
2007-10-10 11:05:02 -05:00
Günther Deschner
e3a7813721 r10908: Fix PIPE mismatch to make wbinfo -m work again
Guenther
2007-10-10 11:04:55 -05:00
Jeremy Allison
92fa541f6e r10801: Janitor for tpot - remember to keep 3.0 in sync.
Jeremy.
2007-10-10 11:04:54 -05:00
Jeremy Allison
76408ddd5b r10780: Fix typo noticed by Volker.
Jeremy.
2007-10-10 11:04:53 -05:00
Jeremy Allison
ed62720f89 r10778: Allow schannel setup over NTLMSSP authenticated pipes.
Jeremy.
2007-10-10 11:04:53 -05:00
Jelmer Vernooij
03a3caaddd r10747: Remove overparanoid check that broke RPC function calls with no
[in] parameters.
2007-10-10 11:04:51 -05:00
Jeremy Allison
bb1ba9a908 r10745: Fix artificial 1k restriction.
Jeremy.
2007-10-10 11:04:51 -05:00
Gerald Carter
939c3cb5d7 r10656: BIG merge from trunk. Features not copied over
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
2007-10-10 11:04:48 -05:00
Jeremy Allison
e1c9813d63 r10269: Server-side fix for creds change - revert jcmd's change.
Jeremy.
2007-10-10 11:03:40 -05:00
Gerald Carter
ef721333ab r9739: conver the reg_objects (REGSUBKEY_CTR & REGVAL_CTR) to use
the new talloc() features:

 Note that the REGSUB_CTR and REGVAL_CTR objects *must* be talloc()'d
 since the methods use the object pointer as the talloc context for
 internal private data.

 There is no longer a regXXX_ctr_intit() and regXXX_ctr_destroy()
 pair of functions.  Simply TALLOC_ZERO_P() and TALLOC_FREE() the
 object.

Also had to convert the printer_info_2->NT_PRINTER_DATA field
to be talloc()'d as well.  This is just a stop on the road to
cleaning up the printer memory management.
2007-10-10 11:03:25 -05:00
Günther Deschner
7afb424091 r9041: typo. Thanks jerry.
Guenther
2007-10-10 11:00:24 -05:00
Gerald Carter
f81b885f46 r9040: revert pointer checks that I had removed; fixes crash in calls to enumprinterdata() 2007-10-10 11:00:24 -05:00
Volker Lendecke
503a58b6be r8833: Fix some uninitialized variables.
Volker
2007-10-10 11:00:18 -05:00
Jeremy Allison
fd6e342746 r8805: Merge a duplicate struct. Get ready to support SPNEGO rpc binds.
Jeremy.
2007-10-10 11:00:18 -05:00
Gerald Carter
cd961e50a3 r8654: merging cli_spoolss_XX() updates from trunk 2007-10-10 11:00:14 -05:00
Gerald Carter
0d6352da48 r7995: * privileges are local except when they're *not*
printmig.exe assumes that the LUID of the SeBackupPrivlege
  on the target server matches the LUID of the privilege
  on the local client.  Even though an LUID is never guaranteed
  to be the same across reboots.  How *awful*!  My cat could
  write better code! (more on my cat later....)

* Set the privelege LUID in the global PRIVS[] array

* Rename RegCreateKey() to RegCreateKeyEx() to better match MSDN

* Rename the unknown field in RegCreateKeyEx() to disposition
  (guess according to MSDN)

* Add the capability to define REG_TDB_ONLY for using the reg_db.c
  functions and stress the RegXXX() rpc functions.
2007-10-10 10:58:07 -05:00
Jeremy Allison
9506b8e145 r7882: Looks like a large patch - but what it actually does is make Samba
safe for using our headers and linking with C++ modules. Stops us
from using C++ reserved keywords in our code.
Jeremy
2007-10-10 10:58:00 -05:00
Gerald Carter
d50f0ba07e r7878: mostly just a rename of REG_INFO to REG_QUERY_VALUE for better clarity 2007-10-10 10:58:00 -05:00
Gerald Carter
e188fdbef8 r7691: * add .gdbinit to the svn:ignore files
* start adding write support to the Samba registry
  Flesh out the server implementations of
  RegCreateKey(), RegSetValue(), RegDeleteKey() and RegDeleteValue()

I can create a new key using regedit.exe now but the 'New Key #1'
key cannot be deleted yet.
2007-10-10 10:57:19 -05:00
Gerald Carter
2f08a904ee r7664: add access check hooks to _reg_open_entry which are passed off
to the reg_XXX backend.  If the backend does not define
a regkey_access_check() function, we default to using the
standard registry_access_check()
2007-10-10 10:57:19 -05:00
Gerald Carter
023728c059 r7649: * fix compile breakage (sorry, should have done a make clean before the
last checking).
* rename unknown field in REG_GETVERSION
* add server stubs for RegDeleteKey() and RegDeleteValue()
2007-10-10 10:57:18 -05:00
Gerald Carter
ce82566bad r7645: adding server stubs for RegCreateKey() and RegSetValue() 2007-10-10 10:57:18 -05:00
Günther Deschner
97097497ae r7632: Cleanup "net share migrate"-code.
* Allow to copy share security descriptors to already existing shares
  separatly.

* Added abstraction function to enum all or a single share info

Guenther
2007-10-10 10:57:17 -05:00
Günther Deschner
08d124079f r7534: Add missing cli_srvsvc_net_share_set_info-function and
rpcclient-testers.

Needed in preparation of share-ACL migration in net.

Guenther
2007-10-10 10:57:11 -05:00
Gerald Carter
a0ac9a8ffd r7415: * big change -- volker's new async winbindd from trunk 2007-10-10 10:57:08 -05:00
Günther Deschner
5125852939 r7391: - Added client-support for various lsa_query_trust_dom_info-calls and a
rpcclient-tester for some info-levels.

  Jerry, I tried to adopt to prs_pointer() where possible and to not
  interfere with your work for usrmgr.

- Add "net rpc trustdom vampire"-tool.

  This allows to retrieve Interdomain Trust(ed)-Relationships from
  NT4-Servers including cleartext-passwords (still stored in the local
  secrets.tdb).

  The net-hook was done in cooperation with Lars Mueller
  <lmuelle@suse.de>.

  To vampire trusted domains simply call:

        net rpc trustdom vampire -S nt4dc -Uadmin%pass

Guenther
2007-10-10 10:57:07 -05:00
Jeremy Allison
877e0a61f5 r7385: Rewrite the RPC bind parsing functions to follow the spec. I haven't yet
tested this so I may have screwed this up - however it now follows the
DCE spec. valgrinded tests to follow....
Jeremy.
2007-10-10 10:57:07 -05:00
Gerald Carter
f35e0a0a8d r6995: * fixing segfault when writing out registry values of zero length
* add RegSaveKey() client function
* add 'net rpc registry save' subcommand
2007-10-10 10:57:00 -05:00
Gerald Carter
81ffb0dbbb r6942: * merging the registry changes back to the 3.0 tree
* removing the testprns tool
2007-10-10 10:56:57 -05:00
Gerald Carter
c43c1ec80c r6601: fixing query and set alias info calls (level 1 from the
MMC manage computer plugin.
2007-10-10 10:56:46 -05:00
Volker Lendecke
61d40ac60d r6445: Make us survive the PARANOID_MALLOC_CHECKER. Should we enable that for
--enable-developer=yes?

Volker
2007-10-10 10:56:41 -05:00
Gerald Carter
28d433351c r6232: more cleanups; remove BUFFER3; rename BUFFER4 -> RPC_DATA_BLOB; rename REG_CREATE_VALE -> REG_SET_VALUE 2007-10-10 10:56:30 -05:00
Gerald Carter
efb3ac4c69 r6228: remove BUFHDR2 and clean up LsaEnumTrustedDomains()
Tested client and server code.
2007-10-10 10:56:30 -05:00
Gerald Carter
0e29dc8aa3 r6071: * clean up UNISTR2_ARRAY ( really just an array of UNISTR4 + count )
* add some backwards compatibility to 'net rpc rights list'
* verify privilege name in 'net rpc rights privileges <name>' in order
  to give back better error messages.
2007-10-10 10:56:20 -05:00
Gerald Carter
a7fb2c50b0 r6051: finish off
net rpc service stop
        net rpc service start
        net rpc service pause
        net rpc service resume
2007-10-10 10:56:19 -05:00
Gerald Carter
b921bf5688 r6046: $ net -S block -U % -W VALE rpc service status spooler
spooler service is SVCCTL_RUNNING.
Configuration details:
        Service Type         = 0x110
        Start Type           = 0x2
        Error Control        = 0x1
        Tag ID               = 0x0
        Executable Path      = C:\WINNT\system32\spoolsv.exe
        Load Order Group     = SpoolerGroup
        Dependencies         = RPCSS/
        Start Name           = LocalSystem
        Display Name         = Print Spooler
2007-10-10 10:56:18 -05:00
Gerald Carter
42588ba50c r6040: finish out 'net rpc service list' 2007-10-10 10:56:18 -05:00
Gerald Carter
759affb1e1 r6039: add CLI_DO_RPC macro for cookie cutter code; no new functionality to 'net rpc service' 2007-10-10 10:56:18 -05:00
Gerald Carter
4da89ef17b r6038: adding more flesh to 'net rpc service'
open and close the service control manager.

Also experimenting with ideas for cli_xxx() interface.
2007-10-10 10:56:17 -05:00
Gerald Carter
6bbd61cfd1 r6029: adding files necessary to support 'net rpc service' functions; will fill in tomorrow 2007-10-10 10:56:16 -05:00
Gerald Carter
4e0ac63c36 r6014: rather large change set....
pulling back all recent rpc changes from trunk into
3.0.  I've tested a compile and so don't think I've missed
any files.  But if so, just mail me and I'll clean backup
in a couple of hours.

Changes include \winreg, \eventlog, \svcctl, and
general parse_misc.c updates.

I am planning on bracketing the event code with an
#ifdef ENABLE_EVENTLOG until I finish merging Marcin's
changes (very soon).
2007-10-10 10:56:15 -05:00
Gerald Carter
1f00602786 r5946: BUG 2497: fix bug in rpcclient's deletedriverex when asking to delete all versions of a driver 2007-10-10 10:56:10 -05:00
Gerald Carter
25121547ca r5805: merging spoolss parsing changes from trunk and cleaning up resulting segvs 2007-10-10 10:56:01 -05:00
Gerald Carter
277203b535 r5726: merge LsaLookupPrivValue() code from trunk 2007-10-10 10:55:57 -05:00
Jim McDonough
8360695fc0 r5591: Implement "net rpc trustdom del", including client side of
samr_remove_sid_from_foreign_domain.
2007-10-10 10:55:49 -05:00
Günther Deschner
1c8616618c r5511: Fix pipe-mismatch for NETDFS.
Guenther
2007-10-10 10:55:43 -05:00
Volker Lendecke
03ec1bd9e5 r5471: In cli_samr_lookup_rids, flags is not a flags but an array size. W2k3 rejects
everything but 1000 here, so there's no point in exposing that to the caller.

Thanks,

Volker
2007-10-10 10:55:42 -05:00
Volker Lendecke
43dcf0f5cb r5469: Fix error codes of samr_lookup_rids: There's also STATUS_SOME_UNMAPPED.
Thanks,

Volker
2007-10-10 10:55:42 -05:00
Jim McDonough
bfd9b9e997 r5339: Fix 'net rpc trustdom establish'. Use the right pipe name, therefore the
right pipe FID.  Fixes NT_STATUS_INVALID_HANDLE error.
2007-10-10 10:55:38 -05:00
Gerald Carter
558525abf1 r5140: (a) fix problem with enumerating domain trusts in security = ads; (b) fix a segfault in rpcclient's dsenumdomtrusts 2007-10-10 10:55:29 -05:00
Gerald Carter
d25fc84bc2 r4849: * finish SeAddUsers support in srv_samr_nt.c
* define some const SE_PRIV structure for use when
  you need a SE_PRIV* to a privilege
* fix an annoying compiler warngin in smbfilter.c
* translate SIDs to names in 'net rpc rights list accounts'
* fix a seg fault in cli_lsa_enum_account_rights caused by
  me forgetting the precedence of * vs. []
2007-10-10 10:53:59 -05:00
Gerald Carter
bf4385c79a r4821: finish off 'net rpc rights [list|grant|revoke]'
one small todo item is to add a 'accounts' sub option
to 'net rpc list' so enumerate all privileged SIDs
and their associated rights.
2007-10-10 10:53:56 -05:00
Volker Lendecke
a24df21e66 r4751: This is a domain policy, not a user one 2007-10-10 10:53:54 -05:00
Volker Lendecke
f2f08b64a5 r4750: Fix cli_samr_queryuseraliases. There can be more than one sid, thus more than
one pointer...

Volker
2007-10-10 10:53:54 -05:00
Gerald Carter
4b351f2fcc r4736: small set of merges from rtunk to minimize the diffs 2007-10-10 10:53:52 -05:00
Gerald Carter
77c10ff9aa r4724: Add support for Windows privileges in Samba 3.0
(based on Simo's code in trunk).  Rewritten with the
following changes:

* privilege set is based on a 32-bit mask instead of strings
  (plans are to extend this to a 64 or 128-bit mask before
   the next 3.0.11preX release).
* Remove the privilege code from the passdb API
  (replication to come later)
* Only support the minimum amount of privileges that make
  sense.
* Rewrite the domain join checks to use the SeMachineAccountPrivilege
  instead of the 'is a member of "Domain Admins"?' check that started
  all this.

Still todo:

* Utilize the SePrintOperatorPrivilege in addition to the 'printer admin'
  parameter
* Utilize the SeAddUserPrivilege for adding users and groups
* Fix some of the hard coded _lsa_*() calls
* Start work on enough of SAM replication to get privileges from one
  Samba DC to another.
* Come up with some management tool for manipultaing privileges
  instead of user manager since it is buggy when run on a 2k client
  (haven't tried xp).  Works ok on NT4.
2007-10-10 10:53:51 -05:00
Jeremy Allison
511cdec60d r4656: Convert the winreg pipe to use WERROR returns (as it should).
Also fix return of NT_STATUS_NO_MORE_ENTRIES should be
ERROR_NO_MORE_ITEMS reported by "Marcin Porwit" <mporwit@centeris.com>.
Jeremy.
2007-10-10 10:53:50 -05:00
Volker Lendecke
dc294c52e0 r4570: Replace cli->nt_pipe_fnum with an array of NT file numbers, one for each
supported pipe. Netlogon is still special, as we open that twice, one to do
the auth2, the other one with schannel.

The client interface is completely unchanged for those who only use a single
pie. cli->pipe_idx is used as the index for everything except the "real"
client rpc calls, which have been explicitly converted in my last commit. Next
step is to get winbind to just use a single smb connection for multiple pipes.

Volker
2007-10-10 10:53:47 -05:00
Volker Lendecke
93eab05020 r4561: This looks a lot larger than it is, this is to reduce the clutter on future
patches.

Pass down the pipe_idx down to all functions in cli_pipe where nt_pipe_fnum is
referenced. First step towards having multiple pipes on a cli_struct. The idea
is to not have a single nt_pipe_fnum but an array for the pipes we support.

Volker
2007-10-10 10:53:47 -05:00
Günther Deschner
bd4c5125d6 r4286: Give back 8 byte lm_session_key in Netrsamlogon-reply.
The old #ifdef JRATEST-block was copying 16 bytes and thus overwriting
acct_flags with bizarre values, breaking a lot of things.

This patch is successfully running in a production environment for quite
some time now and is required to finally allow Exchange 5.5 to access
another Exchange Server when both are running on NT4 in a
samba-controlled domain. This also allows Exchange Replication to take
place, Exchange Administrator to access other Servers in the network,
etc. Fixes Bugzilla #1136.

Thanks abartlet for helping me with that one.

Guenther
2007-10-10 10:53:41 -05:00
Jeremy Allison
620f2e608f r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
2007-10-10 10:53:32 -05:00
Günther Deschner
a24df09386 r3645: Allow deldriverex in rpcclient to delete drivers for a specific
architecture and a specific version.

Guenther
2007-10-10 10:53:11 -05:00
Gerald Carter
cfd51c0244 r3639: patch from Martin Zielinski <mz@seh.de> to add DeleteDriverEx() function to rpcclient 2007-10-10 10:53:11 -05:00
Volker Lendecke
f7f84aa1de r2935: This is a long-standing one in my patch-queue: A pair of net commands
(usersidlist/allowedusers) to scan a file server's share and list all users
who have permission to connect there.

Volker
2007-10-10 10:52:57 -05:00
Günther Deschner
944ad569c7 r2073: Adding getprinter level 7 to rpcclient.
Is there any other rpc-call to get the guid of a published printer?

Guenther
2007-10-10 10:52:30 -05:00
Günther Deschner
8f1716a29b r1692: first commit :)
* add IA64 to the architecture table of printer-drivers

* add new "net"-subcommands:

  net rpc printer migrate {drivers|printers|forms|security|settings|all}
        [printer]
  net rpc share migrate {shares|files|all} [share]

  this is the first part of the migration suite. this will will (once
  feature-complete) allow to do 1:1 server-cloning in the best possible way by
  making heavy use of samba's rpc_client-functions. all migration-steps
  are implemented as rpc/smb-client-calls; net communicates via rpc/smb
  with two servers at the same time (a remote, source server and a
  destination server that currently defaults to the local smbd). this
  allows e. g. printer-driver migration including driverfiles, recursive
  mirroring of file-shares including file-acls, etc. almost any migration
  step can be called with a migrate-subcommand to provide more flexibility
  during a migration process (at the cost of quite some redundancy :) ).

  "net rpc printer migrate settings" is still in a bad condition (many
  open questions that hopefully can be adressed soon).

  "net rpc share migrate security" as an isolated call to just migrate
  share-ACLs will be added later.

  Before playing with it, make sure to use a test-server. Migration is a
  serious business and this tool-set can perfectly overwrite your
  existing file/print-shares.

* along with the migration functions had to make I the following
  changes:

        - implement setprinter level 3 client-side

        - implement net_add_share level 502 client-side

        - allow security descriptor to be set in setprinterdata level 2
          serverside

guenther
2007-10-10 10:52:19 -05:00
Jeremy Allison
bd64f0c081 r1553: Good patch from Guenther Deschner <gd@sernet.de> to display share ACL
entries from rpcclient.
Jeremy.
2007-10-10 10:52:14 -05:00
Andrew Bartlett
36741d3cf5 r1492: Rework our random number generation system.
On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork().

For other systems, we now only re-seed after a fork, and on startup.
No need to do it per-operation.  This removes the 'need_reseed'
parameter from generate_random_buffer().

Andrew Bartlett
2007-10-10 10:52:13 -05:00
Gerald Carter
c6e73ff091 r1380: adding debug message when encouting an ASU specific bug in an rpc_bind reply 2007-10-10 10:52:08 -05:00
Gerald Carter
e9f109d1b3 r991: Allow winbindd to use the domain trust account password
for setting up an schannel connection.  This solves the problem
of a Samba DC running winbind, trusting a native mode AD domain,
and needing to enumerate AD users via wbinfo -u.
2007-10-10 10:51:53 -05:00
Gerald Carter
316ba5ad89 r704: BUG 1315: fix for schannel client connections to server's that don't support 128 bit encryption 2007-10-10 10:51:34 -05:00
Gerald Carter
2cbcc07b7b r485: fix compile 2007-10-10 10:51:25 -05:00
Volker Lendecke
ec32167496 r269: Patch from Krischan Jodies <kj@sernet.de>: Implement 'net rpc group delete'.
Volker
2007-10-10 10:51:16 -05:00
Gerald Carter
911a28361b r196: merging struct uuid from trunk 2007-10-10 10:51:13 -05:00
Gerald Carter
a7e2730ec4 r39: * importing .cvsignore files
* updateing WHATSNEW with vl's change
2007-10-10 10:51:05 -05:00
Volker Lendecke
ae6840320f Implement NETLOGON GetDCName client side. You can ask a DC for the name of
a DC it trusts.

Volker
0001-01-01 00:00:00 +00:00
Andrew Bartlett
01fff20e6e Ensure we correctly set cli->nt_pipe_fnum on failure to correctly open the
NT session.

Andrew Bartlett
0001-01-01 00:00:00 +00:00
Gerald Carter
170c443b19 remove unused variable 0001-01-01 00:00:00 +00:00
Gerald Carter
3aac1e549e missed some of Derrel's changes 0001-01-01 00:00:00 +00:00
Gerald Carter
4d68d3d5dd asu/syntax/pc_netlink doesn't fill in the pipe name in the rpc_bind response so dont check for it 0001-01-01 00:00:00 +00:00
Volker Lendecke
e597420421 Add 'net rpc group [add|del]mem' for domain groups and aliases.
Volker
0001-01-01 00:00:00 +00:00
Volker Lendecke
76c75bb8a7 Add 'net rpc group add'. For this parse_samr.c had to be changed: The
group_info4 in set_dom_group_info also has the level in the record
itself. This seems not to be an align. Tested with NT4 usrmgr.exe. It can
still create a domain group on a samba machine.

Volker
0001-01-01 00:00:00 +00:00
Andrew Bartlett
2a2b1f0c87 This adds client-side support for the unicode/SAMR password change scheme.
As well as avoiding DOS charset issues, this scheme returns useful error
codes, that we can map back via the pam interface.

This patch also cleans up the interfaces used for password buffers, to
avoid duplication of code.

Andrew Bartlett
0001-01-01 00:00:00 +00:00
Gerald Carter
1c15bfacb4 BUG 972; check pointer in cli_ds_getprimarydominfo() before trying to copy a structure 0001-01-01 00:00:00 +00:00
Gerald Carter
ba9dc0d9fd fix segfault when sid_ptr == 0 in DsEnumDomainTrusts() reply 0001-01-01 00:00:00 +00:00
Andrew Bartlett
7c34de8096 This merges in my 'always use ADS' patch. Tested on a mix of NT and ADS
domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.

The routines used for this behaviour have been upgraded to modern Samba
codeing standards.

This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.

This is in line with existing behaviour for native mode domains, and for
our primary domain.

As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values.  These changes move more routines to ADS_STATUS to return
kerberos errors.

Also found when valgrinding the setup, fix a few memory leaks.

While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.

Andrew Bartlett
0001-01-01 00:00:00 +00:00
Andrew Bartlett
da408e0d5a Correctly handle per-pipe NTLMSSP inside a NULL session. Previously we
would attempt to supply a password to the 'inside' NTLMSSP, which the
remote side naturally rejected.

Andrew Bartlett
0001-01-01 00:00:00 +00:00
Andrew Bartlett
06c3f15aa1 rpc_client/cli_lsarpc.c:
rpc_parse/parse_lsa.c:
nsswitch/winbindd_rpc.c:
nsswitch/winbindd.h:
 - Add const

libads/ads_ldap.c:
 - Cleanup function for use

nsswitch/winbindd_ads.c:
 - Use new utility function ads_sid_to_dn
 - Don't search for 'dn=', rather call the ads_search_retry_dn()

nsswitch/winbindd_ads.c:
include/rpc_ds.h:
rpc_client/cli_ds.c:
 - Fixup braindamage in cli_ds_enum_domain_trusts():
    - This function was returning a UNISTR2 up to the caller, and
      was doing nasty (invalid, per valgrind) things with memcpy()
    - Create a new structure that represents this informaiton in a useful way
      and use talloc.

Andrew Bartlett
0001-01-01 00:00:00 +00:00
Andrew Bartlett
48123f7e42 Do not add NTLM2 to the NTLMSSP flags unconditionally - allow the
defaults specified by the caller to prevail.

Don't use NTLM2 for RPC pipes, until we know how it works in signing or sealing.

Call ntlmssp_sign_init() unconditionally in the client - we setup the
session key, why not setup the rest of the data.

Andrew Bartlett
0001-01-01 00:00:00 +00:00
Gerald Carter
5e062f72ba strequal() returns a BOOL, not an int like strcmp(); this fixes a bug in check_bind_response() 0001-01-01 00:00:00 +00:00
Andrew Bartlett
9ecf9408d9 Add support for variable-length session keys in our client code.
This means that we now support 'net rpc join' with KRB5 (des based)
logins.  Now, you need to hack 'net' to do that, but the principal is
important...

When we add kerberos to 'net rpc', it should be possible to still do
user management and the like over RPC.

(server-side support to follow shortly)

Andrew Bartlett
0001-01-01 00:00:00 +00:00
Andrew Bartlett
f3bbc87b0d Changes all over the shop, but all towards:
- NTLM2 support in the server
 - KEY_EXCH support in the server
 - variable length session keys.

In detail:

 - NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).

 * This is known as 'NTLMv2 session security' *

(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes.  We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)

This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed.  This also needs to be turned off for
'security=server', which does not support this.

- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.

- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.

- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure.  This should help the SPNEGO implementation.

- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.

- The other big change is to allow variable length session keys.  We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter.  However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.

 * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *

- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe.  This
should help reduce some of the 'it just doesn't work' issues.

- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer.  (just allocate)


REMEMBER to make clean after this commit - I have changed plenty of data structures...
0001-01-01 00:00:00 +00:00
Volker Lendecke
029dcb351b This fixes a bug when establishing trust against a german W2k3 AD server. In
the bind response to WKSSVC it does not send \PIPE\ntsvcs as NT4 (did not
check w2k) but \PIPE\wkssvc. I'm not sure whether we should make this check at
all, so making it a bit more liberal should hopefully not really hurt.

Volker
0001-01-01 00:00:00 +00:00
cvs2svn Import User
e569418861 This commit was manufactured by cvs2svn to create branch 'SAMBA_3_0'. 0001-01-01 00:00:00 +00:00
Jim McDonough
532fab74c1 New files for support of initshutdown pipe. Win2k doesn't respond properly
to all requests on the winreg pipe, so we need to handle this new pipe.

First part of fix for bug #534
0001-01-01 00:00:00 +00:00
Volker Lendecke
198b01fc54 Merge from 3_0:
In cli_lsa_lookup_sids don't leave the domain field uninitialized if
some sid could not be mapped. Otherwise this call is unnecessarily
complicated to call.

Volker
0001-01-01 00:00:00 +00:00
Volker Lendecke
1337338522 In cli_lsa_lookup_sids don't leave the domain field uninitialized if
some sid could not be mapped. Otherwise this call is unnecessarily
complicated to call.

Volker
0001-01-01 00:00:00 +00:00
Jeremy Allison
aa7fb71357 Merge Volker's fix.
It's a perfectly valid condition to have zero alias members.

Jeremy.
0001-01-01 00:00:00 +00:00
Volker Lendecke
ccdcd88732 It's a perfectly valid condition to have zero alias members.
Volker
0001-01-01 00:00:00 +00:00
Jim McDonough
3ca8240aff Add client side code to do endpoint map queries. Currently does one
fixed query.  Updates to come soon.
0001-01-01 00:00:00 +00:00
Simo Sorce
c78f2d0bd1 split some security related functions in their own files.
(no need to include all of smbd files to use some basic sec functions)

also minor compile fixes
couldn't compile to test these due to some kerberos problems wirh 3.0,
but on HEAD they're working well, so I suppose it's ok to commit
0001-01-01 00:00:00 +00:00
Simo Sorce
66074d3b09 split some security related functions in their own files.
(no need to include all of smbd files to use some basic sec functions)

also minor compile fixes
0001-01-01 00:00:00 +00:00
Gerald Carter
9d2e585e5e commit sign only patch from Andrew; bug 167; tested using 2k & XP clientspreviously joined to the Samba domain 0001-01-01 00:00:00 +00:00
Gerald Carter
3802f5895e commit sign only patch from Andrew; bug 167; tested using 2k & XP clientspreviously joined to the Samba domain 0001-01-01 00:00:00 +00:00
Tim Potter
e2ab9e54cd Merge from 3.0:
>Fix for #480. Change the interface for init_unistr2 to not take a length
>but a flags field. We were assuming that 2*strlen(mb_string) == length of ucs2-le string.
>This is not the case. Count it after conversion.
>Jeremy.
0001-01-01 00:00:00 +00:00
Jeremy Allison
f82c273a42 Fix for #480. Change the interface for init_unistr2 to not take a length
but a flags field. We were assuming that 2*strlen(mb_string) == length of ucs2-le string.
This is not the case. Count it after conversion.
Jeremy.
0001-01-01 00:00:00 +00:00
Gerald Carter
585764305a fix some warnings found by the Sun C compiler 0001-01-01 00:00:00 +00:00
Gerald Carter
e1fac713e2 fix some warnings found by the Sun C compiler 0001-01-01 00:00:00 +00:00
Gerald Carter
c17a7dc9a1 sync 3.0 into HEAD for the last time 0001-01-01 00:00:00 +00:00
Andrew Bartlett
e10f0529fe - Fix the kerberos downgrade problem:
- When connecting to the NETOGON pipe, we make a call to auth2, in order
   to verify our identity.  This call was being made with negotiation flags
   of 0x1ff.  This caused our account to be downgraded.  If we instead make
   the call with flags > 1ff (such as 0x701ff), then this does not occour.

 - This is *not* related to the use of kerberos for the CIFS-level connection

My theory is that Win2k has a test to see if we are sending *exactly* what
NT4 sent - setting any other flags seems to cause us to remain intact.

Also ensure that we only have 'setup schannel' code in a few places, not
scattered around cmd_netlogon too.

Andrew Bartlett
0001-01-01 00:00:00 +00:00
Gerald Carter
5be5151568 working on fix for BUG #294. Not done yet, but this at least clears
up some of the false positives in "rpcclient -c getdriver".
Also make sure that we ask for version2 and 3 drivers on x86.
0001-01-01 00:00:00 +00:00
Herb Lewis
398bd14fc6 get rid of more compiler warnings 0001-01-01 00:00:00 +00:00
Andrew Bartlett
3547cb3def Change Samba to always use extended security for it's guest logins, (ie,
NTLMSSP with "" username, NULL password), and add --machine-pass (-P) to
all of Samba's clients.

When connecting to an Active Directory DC, you must initiate the CIFS level
session setup with Kerberos, not a guest login.  If you don't, your machine
account is demoted to NT4.

Andrew Bartlett
0001-01-01 00:00:00 +00:00
Tim Potter
4d26feabd7 Memory leak fix for create_rpc_bind_req() 0001-01-01 00:00:00 +00:00
Simo Sorce
3101c236b8 port latest changes from SAMBA_3_0 tree 0001-01-01 00:00:00 +00:00
Jim McDonough
a2bd8f0bfa Update my copyrights according to my agreement with IBM 0001-01-01 00:00:00 +00:00
Gerald Carter
0ab00ccaed working on transtive trusts issue:
* use DsEnumerateDomainTrusts() instead of LDAP search.
    wbinfo -m now lists all trusted downlevel domains and
    all domains in the forest.

Thnigs to do:

  o Look at Krb5 connection trusted domains
  o make sure to initial the trusted domain cache as soon
    as possible
0001-01-01 00:00:00 +00:00
Jeremy Allison
f3f29665bd Save us from possibly uninitialised variable (caught by gcc).
Jeremy.
0001-01-01 00:00:00 +00:00
Gerald Carter
f8abdd23e1 add a few more tidy ups. Now onto winbindd 0001-01-01 00:00:00 +00:00
Gerald Carter
c691c7f7d9 add support for DsEnumerateDomainTrusted for enumerating all the
trusted domains in a forest.
0001-01-01 00:00:00 +00:00
Gerald Carter
e12f6a8c13 domain in schannel bind credentials must be the dest domain, not ours 0001-01-01 00:00:00 +00:00
Andrew Bartlett
fa4d7be161 Schannel, once setup, may be used on *ANY* TCP/IP connection until the
connection that set it up has been shut down.

(Also, pipes still connected, and reconnections to the same pipe (eg SAMR)
may continue to use that session key until their TCP/IP connection is shut
down)

Allow further testing by printing out the session key, and allowing it's input
into rpcclient.

Next step is automatic storage in a TDB.

Andrew Bartlett
0001-01-01 00:00:00 +00:00
Tim Potter
2e5bd16654 Fix out of date comment. 0001-01-01 00:00:00 +00:00
Gerald Carter
e66541d0e1 fix the build. Ifdef out some code 0001-01-01 00:00:00 +00:00
Andrew Bartlett
77c3e69aef In the presense of RPC fragments, schannel is not strictly request/reply,
so the shared sequence number will not be strictly odd/even.

Andrew Bartlett
0001-01-01 00:00:00 +00:00
Gerald Carter
adb98e7b7c trying to get HEAD building again. If you want the code
prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE
0001-01-01 00:00:00 +00:00
Andrew Bartlett
6ca77bd28f Fix up our auth_pipe code to always cope with fragmented datagrams,
in both SCHANNEL and NTLMSSP.

(Try not to deal with a general case as individual special cases...)

Andrew Bartlett
0001-01-01 00:00:00 +00:00
Gerald Carter
ff0c71148e fix schannel processing on fragmented PDUs. 'net rpc vampire' works again. 0001-01-01 00:00:00 +00:00
Andrew Bartlett
d941255a97 Fix compile error noticed by Ken Cross, use the utility function instead
of an inline replacement...

Andrew Bartlett
0001-01-01 00:00:00 +00:00
Andrew Bartlett
5472ddc9ea Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request
the schannel code, but I've included that anyway. :-)

This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code.  The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.

The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets.  (Still not yet functional)

This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c.  In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection.  (Previously we were limited to sealing,
and could only use the LM-password derived key).

Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation.  A future step is to replace
it with calls to the same NTLMSSP library.

Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier.  While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow.  I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.

rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection.  The 'schannel' command enables schannel
for all pipes until disabled.

This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.

(The same needs to be done to our server)

Andrew Bartlett
0001-01-01 00:00:00 +00:00
Jeremy Allison
ff222716a0 Removed strupper/strlower macros that automatically map to strupper_m/strlower_m.
I really want people to think about when they're using multibyte strings.
Jeremy.
0001-01-01 00:00:00 +00:00
Volker Lendecke
e5664adc07 Fix for bug#3. Show comments when doing 'net group -l'.
Volker
0001-01-01 00:00:00 +00:00
Jeremy Allison
bc215612cb Add some basic DEBUG statements at level 10 so we can see what is being
called. This is *essential* (and should be done on all the other cli_XX
rpc calls) to help debug winbindd problems remotely.
Jeremy.
0001-01-01 00:00:00 +00:00
Tim Potter
dd063a298f Merge: clarify secure channel connection comment. 0001-01-01 00:00:00 +00:00
Tim Potter
5cb9b99f0f Clarify a comment: The secure channel connection must be opened on the
same session (TCP connection) as the one the challenge was requested
from.
0001-01-01 00:00:00 +00:00
Tim Potter
a8c11e8556 Fix two bugs that were stopping net rpc vampire from working over secure
channel:

  - If the domain name passed to create_rpc_bind_req() is empty, use
    lp_workgroup()

  - Correctly set the auth_padding field when the send_size is a multiple
    of 8 bytes

I've tested with nt4sp6 and win2ksp0 and it seems to work, although
there are no password hashes transferred from win2k.  The empty
passwords are being protected by the secure channel encryption though.
0001-01-01 00:00:00 +00:00
Volker Lendecke
8de04fcf68 Ok, this is a hack. On a netsec bind reply I did not see anything
useful in the auth verifier yet. So this patch ignores it.

Really checking this would be a lot more intrusive: in rpc_api_pipe we
would have to distinguish between binds and normal requests, or have
more state in the netsec info of cli_state, which is also somewhat
hackish.

Volker
0001-01-01 00:00:00 +00:00
Volker Lendecke
5b3cb7725a This puts real netlogon connection caching to winbind. This becomes
important once we start doing schannel, as there would be a lot more
roundtrips for the second PIPE open and bind. With this patch logging
in to a member server is a matter of two (three if you count the
ack...) packets between us and the DC.

Volker
0001-01-01 00:00:00 +00:00
Andrew Bartlett
97bc047434 Always initialise this - it helps callers who use this in a loop...
Andrew Bartlett
0001-01-01 00:00:00 +00:00
Andrew Bartlett
542a8b1817 Turn down some DEBUG()s and remove some duplicate code spotted by dfenwick.
Andrew Bartlett
0001-01-01 00:00:00 +00:00
Jeremy Allison
30512b7d3e Fixes from Ronan Waide <waider@waider.ie> for large RPC writes.
Jeremy.
0001-01-01 00:00:00 +00:00
Jeremy Allison
a330bf170e Fixes from Ronan Waide <waider@waider.ie> for large RPC writes.
Jeremy.
0001-01-01 00:00:00 +00:00
Tim Potter
aa748e1da5 Minor cleanup of enum domain groups/aliases:
- return NT_STATUS_NO_MEMORY instead of NT_STATUS_UNSUCESSFUL if a
      talloc fails

  - don't try and tallocate memory when the number of entries returned was
    zero

  - rename some cut&pasted variable names in enum domain aliases function
0001-01-01 00:00:00 +00:00
Tim Potter
cb94b2b2d1 Minor cleanup of enum domain groups/aliases:
- return NT_STATUS_NO_MEMORY instead of NT_STATUS_UNSUCESSFUL if a
    talloc fails

  - don't try and tallocate memory when the number of entries returned was
    zero

  - rename some cut&pasted variable names in enum domain aliases function
0001-01-01 00:00:00 +00:00
Andrew Bartlett
f200a5b858 Merge from HEAD - always initailise this to zero - helps callers in loops. 0001-01-01 00:00:00 +00:00
Andrew Bartlett
6da9fd157b Always initialise this, to assist callers doing loops over this call.
Andrew Bartlett
0001-01-01 00:00:00 +00:00
Andrew Bartlett
876e00fd11 Merge from HEAD - save the type of channel used to contact the DC.
This allows us to join as a BDC, without appearing on the network as one
until we have the database replicated, and the admin changes the configuration.

This also change the SID retreval order from secrets.tdb, so we no longer
require a 'net rpc getsid' - the sid fetch during the domain join is sufficient.
Also minor fixes to 'net'.

Andrew Bartlett
0001-01-01 00:00:00 +00:00
Jeremy Allison
942fede9a5 Fixes for multi-PDU schannel - based on Volker's code. This code needs
tidying up. Samsync still doesn't work due to bad parsing of net_io_sam_alias_info
with a blank description. Still working on this....
Jeremy.
0001-01-01 00:00:00 +00:00
Jeremy Allison
ec82e8e9f4 Fixes to make SCHANNEL work against a W2K DC. Still need to fix
multi-PDU encode/decode with SCHANNEL. Also need to test against WNT DC.
Jeremy.
0001-01-01 00:00:00 +00:00
Jeremy Allison
ff66d40970 Fixes to make SCHANNEL work in 3.0 against a W2K DC. Still need to fix
multi-PDU encode/decode with SCHANNEL. Also need to test against WNT DC.
Jeremy.
0001-01-01 00:00:00 +00:00
Andrew Bartlett
6e6b7b79ed Store the type of 'sec channel' that we establish to the DC. If we are a
workstation, we have to use the workstation type, if we have a BDC account,
we must use the BDC type - even if we are pretending to be a workstation
at the moment.

Also actually store and retreive the last change time, so we can do
periodic password changes again (for RPC at least).

And finally, a couple of minor fixes to 'net'.

Andrew Bartlett
0001-01-01 00:00:00 +00:00
Tim Potter
dfa9412da5 Merge: remove unused variables. 0001-01-01 00:00:00 +00:00
Tim Potter
800b79e836 Merge: incorrect arg to debug. 0001-01-01 00:00:00 +00:00
Tim Potter
27a608d6a3 Removed unused variables. 0001-01-01 00:00:00 +00:00
Tim Potter
a4704754d9 Fixed incorrect argument to debug. 0001-01-01 00:00:00 +00:00
Tim Potter
5b1807dddf Merge of samr lookup domain rpc client call from HEAD. 0001-01-01 00:00:00 +00:00
cvs2svn Import User
381649916e This commit was manufactured by cvs2svn to create branch 'SAMBA_3_0'. 0001-01-01 00:00:00 +00:00
Tim Potter
4ccd34ef83 A new RPC pipe! The \pipe\echo named pipe is for testing large RPC
requests and responses and is only compiled in when --enable-developer
is passed to configure.  It includes server and client side code for
generating and responding to functions on this pipe.  The functions are:

 - AddOne: add one to the uint32 argument and return ig
 - EchoData: echo back a variable sized char array to the caller
 - SourceData: request a variable sized char array
 - SinkData: send a variable sized char array and throw it away

There's a win32 implementation of the client and server in the
junkcode CVS repository in the rpcecho-win32 subdirectory.
0001-01-01 00:00:00 +00:00
Volker Lendecke
eaef0d8aef This is the netlogon schannel client code. Try a
rpcclient -S pdc -U% -c "samlogon user password"

and it should work with the schannel. Needs testing against platforms
different from NT4SP6.

Volker
0001-01-01 00:00:00 +00:00
Volker Lendecke
ecd0ee4d24 This is the netlogon schannel client code. Try a
rpcclient -S pdc -U% -c "samlogon user password"

and it should work with the schannel. Needs testing platforms
different from NT4SP6.

Volker
0001-01-01 00:00:00 +00:00
Volker Lendecke
1e03e95545 Auth2, not also Auth3 sends us flags back, although all the callers
ignore it.

Volker
0001-01-01 00:00:00 +00:00
Volker Lendecke
6ac6b0f4c0 Auth2, not also Auth3 sends us flags back, although all the callers
ignore it.

Volker
0001-01-01 00:00:00 +00:00
Tim Potter
67bc6bccc2 SAMR lookupdomain rpc client patches from amber palekar <amber@nu3.net> 0001-01-01 00:00:00 +00:00
Andrew Bartlett
ec071ca3dc (merge from HEAD)
NTLM Authentication:

- Add a 'privileged' mode to Winbindd.  This is achieved by means of a directory
  under lockdir, that the admin can change the group access for.

- This mode is now required to access with 'CRAP' authentication feature.
- This *will* break the current SQUID helper, so I've fixed up our ntlm_auth
  replacement:
 - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a
   challenge.
 - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5
   servers.
 - Tested - works for Win2k clients, but not Win9X at present.  NTLMSSP updates
   are needed.
 - Now uses fgets(), not x_fgets() to cope with Squid environment (I think
   somthing to do with non-blocking stdin).

- Add much more robust connection code to wb_common.c - it will not connect to
  a server of a different protocol version, and it will automatically try and
  reconnect to the 'privileged' pipe if possible.
  - This could help with 'privileged' idmap operations etc in future.

- Add a generic HEX encode routine to util_str.c,
- fix a small line of dodgy C in StrnCpy_fn()

- Correctly pull our 'session key' out of the info3 from th the DC.  This is
  used in both the auth code, and in for export over the winbind pipe to
  ntlm_auth.

- Given the user's challenge/response and access to the privileged pipe,
  allow external access to the 'session key'.  To be used for MSCHAPv2
  integration.

Andrew Bartlett
0001-01-01 00:00:00 +00:00
Andrew Bartlett
dcdc75ebd8 NTLM Authentication:
- Add a 'privileged' mode to Winbindd.  This is achieved by means of a directory
  under lockdir, that the admin can change the group access for.

- This mode is now required to access with 'CRAP' authentication feature.
- This *will* break the current SQUID helper, so I've fixed up our ntlm_auth
  replacement:
 - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a
   challenge.
 - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5
   servers.
 - Tested - works for Win2k clients, but not Win9X at present.  NTLMSSP updates
   are needed.
 - Now uses fgets(), not x_fgets() to cope with Squid environment (I think
   somthing to do with non-blocking stdin).

- Add much more robust connection code to wb_common.c - it will not connect to
  a server of a different protocol version, and it will automatically try and
  reconnect to the 'privileged' pipe if possible.
  - This could help with 'privileged' idmap operations etc in future.

- Add a generic HEX encode routine to util_str.c,
- fix a small line of dodgy C in StrnCpy_fn()

- Correctly pull our 'session key' out of the info3 from th the DC.  This is
  used in both the auth code, and in for export over the winbind pipe to
  ntlm_auth.

- Given the user's challenge/response and access to the privileged pipe,
  allow external access to the 'session key'.  To be used for MSCHAPv2
  integration.

Andrew Bartlett
0001-01-01 00:00:00 +00:00
cvs2svn Import User
f0d009c3e9 This commit was manufactured by cvs2svn to create branch 'SAMBA_3_0'. 0001-01-01 00:00:00 +00:00
Martin Pool
8d64419625 Ignore .po and .po32 files. 0001-01-01 00:00:00 +00:00
Tim Potter
c2e9673328 Merge of exit path cleanup for EnumDomainUsers. 0001-01-01 00:00:00 +00:00
Tim Potter
a20aba0999 Merge: const fixes. 0001-01-01 00:00:00 +00:00
Tim Potter
018733eedd More const fixes and flow on fixes from yesterday's const-fest. 0001-01-01 00:00:00 +00:00
Tim Potter
655c1e0351 Merge:
> Exit path cleanup for cli_samr_enum_dom_users()
0001-01-01 00:00:00 +00:00
Tim Potter
0bc1dfc68b Exit path cleanup for cli_samr_enum_dom_users() 0001-01-01 00:00:00 +00:00
Tim Potter
7edaf93796 Merge NTSTATUS vs WERROR return for cli_srvsvc_net_srv_get_info() 0001-01-01 00:00:00 +00:00
Tim Potter
619af61644 Return a WERROR instead of a NTSTATUS like the rest of the srvsvc
rpc calls.
0001-01-01 00:00:00 +00:00
Jeremy Allison
4c3ee228fc Ensure that only parse_prs.c access internal members of the prs_struct.
Needed to move to disk based i/o later.
Jeremy.
0001-01-01 00:00:00 +00:00
Jeremy Allison
a823fee5b4 Ensure that only parse_prs.c access internal members of the prs_struct.
Needed to move to disk based i/o later.
Jeremy.
0001-01-01 00:00:00 +00:00
Andrew Tridgell
f4f1f84a6b initial server side privileges implementation, using a tdb. This needs to be hooked into pdb, and we need some access control on changing privileges. That's next 0001-01-01 00:00:00 +00:00
Andrew Tridgell
3ddb5fb0dd added the 'lsaenumacctwithright' command to rpcclient. This allows you
to lookup what SIDs have a particular privilege (that is how
privileges are stored).
0001-01-01 00:00:00 +00:00
Andrew Bartlett
013fa87473 One more signed/unsigned fix 0001-01-01 00:00:00 +00:00
Jeremy Allison
1e752b48a1 Merge tpot's changes to request the correct sizes for user dispinfo
from HEAD. I had to do this for him as he was *so* tired, the poor
chap, plus he has this bad leg, plus the dog ate his homework etc. etc.
Jeremy.
0001-01-01 00:00:00 +00:00
Tim Potter
2eea2813d9 Pass down max_size parameter to cli_samr_query_dispinfo() instead of
using a hardcoded value later on.

Added a helper function that returns the observed values for
max_entries and max_size for each cli_samr_query_dispinfo() call.
These values were obtained from watching the NT4 user manager
application with ethereal and are the only ones that can enumerate a
60k user domain reliably under Windows 2000.
0001-01-01 00:00:00 +00:00
Jeremy Allison
49739be1e2 Merge tridge's client priv code from HEAD.
Jeremy
0001-01-01 00:00:00 +00:00
Andrew Tridgell
bf99440398 added LsaRemoveAccountRights
this now gives us complete remove privileges control in the client
libs, so we are in good shape for starting on the server side.
0001-01-01 00:00:00 +00:00
Jeremy Allison
30a33920b4 Merging tridge's privillage client changes from HEAD.
Jeremy.
0001-01-01 00:00:00 +00:00
Andrew Tridgell
2e5e659e09 cleaned up the lsa_enum_acct_rights function and added a
lsa_add_acct_rights function.

This allows us to add privileges remotely to accounts using rpcclient.
0001-01-01 00:00:00 +00:00
Tim Potter
648307ab3d Merge: remove dead function. 0001-01-01 00:00:00 +00:00
Andrew Tridgell
e3d00fa47d reverted this patch till I sort out the craziness with UNIHDR 0001-01-01 00:00:00 +00:00
Andrew Tridgell
b9eff31b14 This removes the 3rd argument from init_unistr2(). There were 240
calls to init_unistr2() in the code and every one of them got the 3rd
argument incorrect, so I thought it best just to remove the argument.

The incorrect usage was caused by callers using strlen() to determine
the length of the string. The 3rd argument to init_unistr2() was
supposed to be the character length, not the byte length of the
string, so for non-english this could come out wrong.

I also removed the bogus 'always allocate at least 256 bytes'
hack. There may be some code that relies on this, but if there is then
the code is broken and needs fixing.
0001-01-01 00:00:00 +00:00
Tim Potter
a1c790b5ea Let's clean up client side ntlmssp!
Removed a dead function.
0001-01-01 00:00:00 +00:00
Gerald Carter
7a4c874842 merging some rpcclient and net functionality from HEAD 0001-01-01 00:00:00 +00:00
Andrew Tridgell
65bac11d71 added cli_lsa_enum_account_rights() call. Note that this is in
principal similar to the existing cli_lsa_enum_privsaccount() call,
except that cli_lsa_enum_account_rights() doesn't require a call to
open_account first. There is also the minor matter that
cli_lsa_enum_account_rights() works whereas
cli_lsa_enum_privsaccount() doesn't!

this call can be used to find what privileges an account or group
has. This is a first step towards proper privileges support in Samba.
0001-01-01 00:00:00 +00:00
Tim Potter
056bdfbce7 Added comment about a SMB_ASSERT() 0001-01-01 00:00:00 +00:00
Richard Sharpe
9a38e37811 Make sure that those cleanups actually went in. 0001-01-01 00:00:00 +00:00
Richard Sharpe
fd847aa936 Now that I am running config.developer, I decided to get rif of some warnings:
1. reboot in parse_reg and cli_reg was shadowing a definition on FreeBSD
   4.3 from system includes.

2. Added a bit of const to places.

3. Made sure internal functions were declared where needed.
0001-01-01 00:00:00 +00:00
Gerald Carter
f8a915b14d [merge] make sure to update print queue cache during timeout_processing() to send notify events; CR 1491 0001-01-01 00:00:00 +00:00
Gerald Carter
142c5029c7 [merge] make sure to updatre print queue cache during timeout_processing() to send notify events; CR 1491 0001-01-01 00:00:00 +00:00
Andrew Bartlett
a4f7777ca0 Merge from HEAD - idra's fix for the fact that the shutdown command takes two 1
byte boolean flags, not a 16 bit bitmask.

Andrew Bartlett
0001-01-01 00:00:00 +00:00
Andrew Bartlett
3a7458f947 Merge from HEAD - make Samba compile with -Wwrite-strings without additional
warnings.  (Adds a lot of const).

Andrew Bartlett
0001-01-01 00:00:00 +00:00
Andrew Bartlett
92a777d0ea BIG patch...
This patch makes Samba compile cleanly with -Wwrite-strings.
 - That is, all string literals are marked as 'const'.  These strings are
always read only, this just marks them as such for passing to other functions.

What is most supprising is that I didn't need to change more than a few lines of code (all
in 'net', which got a small cleanup of net.h and extern variables).  The rest
is just adding a lot of 'const'.

As far as I can tell, I have not added any new warnings - apart from making all
of tdbutil.c's function const (so they warn for adding that const string to
struct).

Andrew Bartlett
0001-01-01 00:00:00 +00:00
Simo Sorce
c5892b656d the shutdown call does not have a 16 bit flags, but 2 byte representing booleans
this commit change the structure and code to reflect this

some test revelead I'm right.

some other revelead currently the abort shutdown does not work against my test machine even if it returns successfully ... need investigation
0001-01-01 00:00:00 +00:00
Simo Sorce
ea2154b269 fix rpcclient querygroup command (from 2.2 and head) 0001-01-01 00:00:00 +00:00
Simo Sorce
8877ff2482 make querygroup in rpcclient working, same fix as per 2.2 tree 0001-01-01 00:00:00 +00:00
Jeremy Allison
ddd7099595 Ensure callid is not used uninitialized.
Jeremy.
0001-01-01 00:00:00 +00:00
Gerald Carter
481a8a8aa9 fix cli_ds_getprimarydominfo(); merge from SAMBA_3_0 0001-01-01 00:00:00 +00:00
Gerald Carter
e6184bbd8f * finializnig RedHat package for alpha21 release
* fix cli_ds_getprimarydominfo() (bad memcpy() )
0001-01-01 00:00:00 +00:00
Tim Potter
e643003dd4 Merge from appliance:
>Fix memory leak in cli_ds_getprimarydominfo()
0001-01-01 00:00:00 +00:00
Tim Potter
ca689916da Merge from appliance:
>Fix memory leak in cli_ds_getprimarydominfo()
0001-01-01 00:00:00 +00:00
Tim Potter
fdce4be719 A cool idea from mbp: create a big shared library of all Samba objects
which we can use to link against Samba unit test programs.  Now we can
compile and link unit tests without having to create 4MB executables
for each program

It's called libbigballofmud.so both to discourage casual usage and
also to reflect what the dependencies within Samba have become.
0001-01-01 00:00:00 +00:00
Jeremy Allison
f755711df8 Removed global_myworkgroup, global_myname, global_myscope. Added liberal
dashes of const. This is a rather large check-in, some things may break.
It does compile though :-).
Jeremy.
0001-01-01 00:00:00 +00:00