summaryrefslogtreecommitdiffstats
path: root/source4/rpc_server/samr
Commit message (Collapse)AuthorAgeFilesLines
* Fix the O3 developer buildVolker Lendecke2015-03-031-10/+15
| | | | | | | | | | Different gcc versions complain at different places Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Tue Mar 3 13:14:53 CET 2015 on sn-devel-104
* dsdb: Always store and return the userParameters as a array of LE 16-bit valuesAndrew Bartlett2014-07-091-4/+13
| | | | | | | | | | | | | | | This is not allowed to be odd length, as otherwise we can not send it over the SAMR transport correctly. Allocating one byte less memory than required causes malloc() heap corruption and then a crash or lockup of the SAMR server. Andrew Bartlett Bug: https://bugzilla.samba.org/show_bug.cgi?id=10130 Change-Id: I5c0c531c1d660141e07f884a4789ebe11c1716f6 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s4:samr: allow builtin groups for samr_OpenGroup.Michael Adam2014-05-031-7/+16
| | | | | | | This fixes nsswitch getgrgid for builtins. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dsdb: Allow SAMR server to return the computed, not actual badPwdCountAndrew Bartlett2014-04-021-2/+9
| | | | | | | | | | | | This matters after the lockout observation period has expired. Note: that QueryUserInfo level 3 returns the raw badPwdCount value. Andrew Bartlett Change-Id: I7b304a50984072bc6cb1daf3315b4427443632a9 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:rpc_server/samr: passdown unmodified acct_flags to the ldb layer.Stefan Metzmacher2014-04-021-15/+1
| | | | | | | | The samldb module will handle the verification and magic. Change-Id: If38e0ed229b98eac4db9b39988de4a25f9a352f2 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4-samr: Escape the username in the LDAP filterAndrew Bartlett2014-04-021-2/+2
| | | | | | Change-Id: I99945f0b86ea2862c88c00ad39c809ef1101ca9b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:auth: Add password lockout support to the AD DCAndrew Bartlett2014-04-021-2/+14
| | | | | | | | Including a fix by Arvid Requate <requate@univention.de> Change-Id: I25d10da50dd6119801cd37349cce970599531c6b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Put password lockout support in samdb_result_passwords()Andrew Bartlett2014-04-021-3/+11
| | | | | | | | | | | | This seems to be the best choke point to check for locked out accounts, as aside from the KDC, all the password authentication and change callers use it. Andrew Bartlett Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Rework samdb_result_acct_flags to use either userAccountControl or ↵Andrew Bartlett2014-04-021-15/+13
| | | | | | | | | | | | | | | | msDS-User-Account-Control-Computed This allows us to avoid the domain lookup in the constructed attribute when not required. By using msDS-User-Account-Control-Computed the lockout and password expiry checks are now handled in the operational ldb module. Andrew Bartlett Change-Id: I6eb94933e4602e2e50c2126062e9dfa83a46191b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2013-4496:Revert remainder of ce895609b04380bfc41e4f8fddc84bd2f9324340Andrew Bartlett2014-03-131-34/+35
| | | | | | | | | | | | | | | | | | | | | Part of this was removed when ChangePasswordUser was unimplemented, but remove the remainder of this flawed commit. Fully check the password first, as extract_pw_from_buffer() already does a partial check of the password because it needs a correct old password to correctly decrypt the length. Andrew Bartlett Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245 Change-Id: Ibccc4ada400b5f89a942d79c1a269b493e0adda6 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-on: https://gerrit.samba.org/38 Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Mar 13 15:06:35 CET 2014 on sn-devel-104
* CVE-2013-4496:samr: Remove ChangePasswordUserAndrew Bartlett2014-03-131-139/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This old password change mechanism does not provide the plaintext to validate against password complexity, and it is not used by modern clients. It also has quite difficult semantics to handle regarding password lockout. The missing features in both implementations (by design) were: - the password complexity checks (no plaintext) - the minimum password length (no plaintext) Additionally, the source3 version did not check: - the minimum password age - pdb_get_pass_can_change() which checks the security descriptor for the 'user cannot change password' setting. - the password history - the output of the 'passwd program' if 'unix passwd sync = yes'. Finally, the mechanism was almost useless, as it was incorrectly only made available to administrative users with permission to reset the password. It is removed here so that it is not mistakenly reinstated in the future. Andrew Bartlett Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245 Change-Id: If2edd3183c177e5ff37c9511b0d0ad0dd9038c66 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-on: https://gerrit.samba.org/37
* s4:rpc_server: make use of dcerpc_binding_get_transport()Stefan Metzmacher2014-02-131-1/+2
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* build: Build with system md5.h on OpenIndianaAndrew Bartlett2013-06-191-1/+1
| | | | | | | | | | | | | | | | | | | | This changes (again...) our system md5 detection to cope with how OpenIndiana does md5. I'm becoming increasingly convinced this isn't worth our while (we should have just done samba_md5...), but for now this change seems to work on FreeBSD, OpenIndiana and Linux with libbsd. This needs us to rename struct MD5Context -> MD5_CTX, but we provide a config.h define to rename the type bad if MD5_CTX does not exist (it does however exist in the md5.h from libbsd). Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Jun 19 21:32:36 CEST 2013 on sn-devel-104
* s4:samr RPC server - dcesrv_samr_SetUserInfo() - password expirationMatthias Dieter Wallnöfer2013-06-101-1/+7
| | | | | | Also on level 26 this has to be handled the same as on levels 21, 23, 25. Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4-rpc_server: limit allowed transports for samr_ValidatePassword().Günther Deschner2012-12-121-0/+5
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:rpc_server/samr: do WRONG_PASSWORD checks after the complexity checksMichael Adam2012-12-111-47/+65
| | | | | | | | | This matches the windows behavior. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Michael Adam <obnox@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* lib/param: Create a seperate server role for "active directory domain ↵Andrew Bartlett2012-06-151-4/+4
| | | | | | | | | | | | | | | controller" This will allow us to detect from the smb.conf if this is a Samba4 AD DC which will allow smarter handling of (for example) accidentially starting smbd rather than samba. To cope with upgrades from existing Samba4 installs, 'domain controller' is a synonym of 'active directory domain controller' and new parameters 'classic primary domain controller' and 'classic backup domain controller' are added. Andrew Bartlett
* s4-samr: fixed subtree searchAndrew Tridgell2011-08-251-1/+1
| | | | | | this needs to be on the domain NC Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-dsdb Add ability to force a particular SID in the upgrade caseAndrew Bartlett2011-08-131-1/+2
|
* s4:rpc_server/dcesrv_samr.c - quiet enum warningsMatthias Dieter Wallnöfer2011-06-091-0/+6
| | | | | | | | | When we are acting in the role of a PDC then please return it as status information. Reviewed-by: Tridge Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Thu Jun 9 12:06:36 CEST 2011 on sn-devel-104
* s4-samr Remove incorrect transaction_cancel() in error pathAndrew Bartlett2011-05-081-1/+0
| | | | | | The transactions are now handled entirely within dsdb_add_user() Andrew Bartlett
* s4-rpc: improved error mapping for several RPC server callsAndrew Tridgell2011-04-041-22/+19
| | | | Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* Ensure convert_string_XXX is always called with a valid converted_size pointer.Jeremy Allison2011-03-291-2/+5
| | | | | | | Preparation for cleaning up this API. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Tue Mar 29 21:01:49 CEST 2011 on sn-devel-104
* lib/util/charset rename iconv_convenience to iconv_handleAndrew Bartlett2011-03-251-3/+3
| | | | | | This better reflects what this structure is Andrew Bartlett
* charcnv: removed the allow_badcharcnv and allow_bad_conv options to ↵Andrew Tridgell2011-03-241-3/+3
| | | | | | | | | convert_string*() we shouldn't accept bad multi-byte strings, it just hides problems Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Thu Mar 24 01:47:26 CET 2011 on sn-devel-104
* source4/rpc_server: Fix prototypes for all functions.Jelmer Vernooij2011-03-191-0/+1
|
* build: moved libds/common/flag_mapping.c into a common subsystemAndrew Tridgell2011-02-241-0/+1
| | | | Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4:samr RPC server - QueryDisplayInfo returns always all domains users, ↵Matthias Dieter Wallnöfer2011-02-151-34/+40
| | | | | | | | | | | | | | | | aliases and groups That means when calling "QueryDisplayInfo" on the BUILTIN handle we still get all related domain objects - for example all domain (global + universal) groups. This is contrary to the "EnumDomain..." calls which do really only return the objects in the specified domain policy handle. This has been observed against Windows Server 2008 and confirmed by dochelp. In the same occasion I've converted from a "gendb*"-oriented search call to "dsdb_search". Patch-reviewed-by: Andrew Tridgell <tridge@samba.org>
* ldb: use #include <ldb.h> for ldbAndrew Tridgell2011-02-101-2/+2
| | | | | | | | thi ensures we are using the header corresponding to the version of ldb we're linking against. Otherwise we could use the system ldb for link and the in-tree one for include Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4:samr RPC server - always interpret filter integer values as signedMatthias Dieter Wallnöfer2011-01-151-4/+4
| | | | | | | To prevent platform-dependant problems. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sat Jan 15 14:54:14 CET 2011 on sn-devel-104
* s4:samr RPC server - dcesrv_samr_GetBootKeyInformation - return NOT_SUPPORTEDMatthias Dieter Wallnöfer2010-12-041-1/+2
| | | | | | | Windows Server 2008 does this Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sat Dec 4 12:11:47 CET 2010 on sn-devel-104
* s4:samr RPC server - "dcesrv_samr_RemoveMemberFromForeignDomain"Matthias Dieter Wallnöfer2010-11-061-12/+6
| | | | | | | | | | | - Remove TODO comment: MS-SAMR 3.1.5.8.7 explicitly states: "The SamrRemoveMemberFromForeignDomain method removes a member from all aliases." - Remove the search attributes since they aren't strictly needed. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sat Nov 6 18:07:57 UTC 2010 on sn-devel-104
* s4:samr RPC server - the LDB error codes for adding or deleting a group ↵Matthias Dieter Wallnöfer2010-10-301-4/+2
| | | | member have changed
* s4:samr RPC server - fix trailing whitespacesMatthias Dieter Wallnöfer2010-10-293-268/+268
|
* s4:samr RPC server - fix indentation of function parametersMatthias Dieter Wallnöfer2010-10-291-29/+30
|
* s4:samr RPC server - DomainGeneralInformation - never return NULL on the oem ↵Matthias Dieter Wallnöfer2010-10-291-2/+6
| | | | | | | name As far as I can tell Windows SAMR never returns NULL on unknown values in this call.
* s4:samr RPC server - provide the right "ReplicaSourceNodeName"Matthias Dieter Wallnöfer2010-10-291-12/+16
| | | | | It's the content of the "domainReplica" attribute if it exists and has only a meaning on interim/mixed domain function levels (with NT4 dcs).
* s4:samr RPC server - remove wrong implementation of ReplicaSourceNodeNameMatthias Dieter Wallnöfer2010-10-291-20/+7
| | | | This should represent a replication partner - never the DC iself
* s4:samr RPC server - "dcesrv_samr_info_DomGeneralInformation" - count always ↵Matthias Dieter Wallnöfer2010-10-251-4/+6
| | | | | | | | | | | all type of groups One pair are universal an global groups (on the SAMR pipe called "groups") and the other one are the domain and builtin local groups (on the SAMR pipe called "aliases"). Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Mon Oct 25 19:37:27 UTC 2010 on sn-devel-104
* s4:samr RPC server - remove a somewhat pointless commentMatthias Dieter Wallnöfer2010-10-251-1/+0
| | | | | Regardless if groups and users do exist in the builtin domain or not we do count always all users, groups and aliases.
* s4:"samdb_search_count" - introduce a "mem_ctx" parameterMatthias Dieter Wallnöfer2010-10-251-3/+6
| | | | | | | All other "samdb_search_*" calls do have one - why "samdb_search_count" doesn't? Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Mon Oct 25 17:42:33 UTC 2010 on sn-devel-104
* Revert "s4:remove "util_ldb" submodule and integrate the three gendb_* calls ↵Matthias Dieter Wallnöfer2010-10-172-0/+2
| | | | | | | | | | | | in "dsdb/common/util.c"" This reverts commit 8a2ce5c47cee499f90b125ebde83de5f9f1a9aa0. Jelmer pointed out that these are also in use by other LDB databases - not only SAMDB ones. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Oct 17 13:37:16 UTC 2010 on sn-devel-104
* s4:remove "util_ldb" submodule and integrate the three gendb_* calls in ↵Matthias Dieter Wallnöfer2010-10-172-2/+0
| | | | | | | | | "dsdb/common/util.c" They're only in use by SAMDB code. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Oct 17 09:40:13 UTC 2010 on sn-devel-104
* s4:dsdb - remove "samdb_result_uint", "samdb_result_int64", ↵Matthias Dieter Wallnöfer2010-10-151-27/+27
| | | | | | | | | "samdb_result_uint64" and "samdb_result_string" We have ldb_msg_find_attr_as_* calls which do exactly the same. Therefore this reduces only code redundancies. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* samdb: Add flags argument to samdb_connect().Jelmer Vernooij2010-10-102-8/+8
|
* samr: for correctness, rename samr_RidTypeArray to samr_RidAttrArray.Günther Deschner2010-10-071-7/+7
| | | | | | | Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Thu Oct 7 12:04:32 UTC 2010 on sn-devel-104
* s4-samr: Fix dcesrv_samr_QueryGroupMember.Günther Deschner2010-10-071-1/+3
| | | | Guenther
* s4:dcesrv_samr_GetGroupsForUser - also universal group memberships are ↵Matthias Dieter Wallnöfer2010-09-111-2/+3
| | | | | | | returned here Tested using User Manager for Domains against Windows Server 2008. MS-SAMR 3.1.5.9.1 is wrong in this case therefore I've informed the dochelp team.
* s4:samr RPC server - samr_password.c - make real user password changes workMatthias Dieter Wallnöfer2010-08-171-50/+74
| | | | | Now it's finally possible that the user can change his password with a DSDB connection using his credentials.
* s4:kdc/rpc server - adapt the "samdb_set_password" calls which perform ↵Matthias Dieter Wallnöfer2010-08-171-3/+3
| | | | password sets
generated by cgit (git 2.34.1) at 2025-09-03 11:29:37 +0000