summaryrefslogtreecommitdiffstats
path: root/source3/rpc_server/samr
Commit message (Collapse)AuthorAgeFilesLines
* s3: Use root_mode() to get uid_wrapper working correctly.Andreas Schneider2014-04-171-2/+2
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3-samr: Refuse to set lockout_duration < lockout_window per ↵Andrew Bartlett2014-04-021-0/+17
| | | | | | | | | | | | rpc.samr.passwords.lockout This was not noticed previously because the test was not run. Andrew Bartlett Change-Id: I88701b6c3057ec26f44b3ccab4134ac9aabe552a Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2013-4496:samr: Remove ChangePasswordUserAndrew Bartlett2014-03-131-161/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This old password change mechanism does not provide the plaintext to validate against password complexity, and it is not used by modern clients. It also has quite difficult semantics to handle regarding password lockout. The missing features in both implementations (by design) were: - the password complexity checks (no plaintext) - the minimum password length (no plaintext) Additionally, the source3 version did not check: - the minimum password age - pdb_get_pass_can_change() which checks the security descriptor for the 'user cannot change password' setting. - the password history - the output of the 'passwd program' if 'unix passwd sync = yes'. Finally, the mechanism was almost useless, as it was incorrectly only made available to administrative users with permission to reset the password. It is removed here so that it is not mistakenly reinstated in the future. Andrew Bartlett Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245 Change-Id: If2edd3183c177e5ff37c9511b0d0ad0dd9038c66 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-on: https://gerrit.samba.org/37
* CVE-2013-4496:s3-samr: Block attempts to crack passwords via repeated ↵Andrew Bartlett2014-03-132-16/+129
| | | | | | | | | | | | | | password changes Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245 Change-Id: Ic31774275f07e003e7c2682a856ccb2d5a7939de Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-on: https://gerrit.samba.org/162
* param: rename lp function and variable from "serverstring" to "server_string"Garming Sam2014-02-071-2/+2
| | | | | | Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3:rpc_server: s/event_add_timed/tevent_add_timerStefan Metzmacher2013-02-191-1/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s3:rpc_server: s/struct timed_event/struct tevent_timerStefan Metzmacher2013-02-191-2/+2
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s3:rpc_server: s/struct event_context/struct tevent_contextStefan Metzmacher2013-02-191-1/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* samr: Make use of posix_openptVolker Lendecke2013-01-141-0/+4
| | | | Reviewed by: Jeremy Allison <jra@samba.org>
* samr: Split up an assignment from an if conditionVolker Lendecke2013-01-141-1/+2
| | | | Reviewed by: Jeremy Allison <jra@samba.org>
* s3-rpc_server: limit allowed transports for samr_ValidatePassword().Günther Deschner2012-12-121-0/+5
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* loadparm: make the source3/ lp_ functions take an explicit TALLOC_CTX *.Rusty Russell2012-07-182-11/+13
| | | | | | | | | | They use talloc_tos() internally: hoist that up to the callers, some of whom don't want to us talloc_tos(). A simple patch, but hits a lot of files. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
* s3: rename sid_check_is_in_our_domain() to sid_check_is_in_our_sam()Michael Adam2012-07-121-7/+7
| | | | | | | | | This does not check whether the given sid is in our domain, but but whether it belongs to the local sam, which is a different thing on a domain member server. Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Thu Jul 12 18:36:02 CEST 2012 on sn-devel-104
* s3: rename sid_check_is_domain() to sid_check_is_our_sam()Michael Adam2012-07-121-6/+6
| | | | | | This does not check whether the given sid is the domain sid, but whether it is the sid of the local sam, which is different for a domain member server.
* s3-rpc_server: Make it possible to use more rpc exceptions.Andreas Schneider2012-07-061-7/+9
|
* Fix a bunch of "set but not used" warnings.Jeremy Allison2012-06-191-14/+7
|
* auth: Use only security_token_is_system to determine that a user is SYSTEMAndrew Bartlett2012-06-191-1/+1
| | | | | | | | | | This removes the duplication on how to detect that a user is system in Samba now that the smbd system account is also only SID_NT_SYSTEM we can use the same check everywhere. Andrew Bartlett Signed-off-by: Andreas Schneider <asn@samba.org>
* build: Remove SMB_STRUCT_DIR defineAndrew Bartlett2012-04-051-1/+1
|
* build: Remove sys_closedir wrapperAndrew Bartlett2012-04-051-2/+2
|
* build: Remove sys_opendir wrapperAndrew Bartlett2012-04-051-1/+1
|
* build: Remove sys_open wrapperAndrew Bartlett2012-04-051-3/+3
|
* lib/util: Remove obsolete sys_getpid() and sys_fork().Jelmer Vernooij2012-03-241-1/+1
| | | | | | | | | The performance of these is minimal (these days) and they can return invalid results when used as part of applications that do not use sys_fork(). Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sat Mar 24 21:55:41 CET 2012 on sn-devel-104
* s3-rpc: Decrypt with the proper session key in CreateTrustedDomainEx2.Alexander Bokovoy2012-03-131-18/+19
| | | | | | | | | | | | | | | | On LSA and SAMR pipes session_key is truncated to 16 byte when doing encryption/decryption. However, this was not done for trusted domain-related modifying operations. As result, Samba 4 client libraries do not work against Samba 3 while working against Windows 2008 r2. Solved this by introducing "session_extract_session_key()" function that allows to specify intent of use of the key. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Tue Mar 13 12:23:44 CET 2012 on sn-devel-104
* Fix bug #8561 - Password change settings not fully observed.Jeremy Allison2011-11-161-1/+1
| | | | | Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Wed Nov 16 00:22:41 CET 2011 on sn-devel-104
* s3-group-mapping: Remove fstrings from GROUP_MAP.Simo Sorce2011-10-121-12/+40
| | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Oct 12 19:28:12 CEST 2011 on sn-devel-104
* s3-samr: Remove fstring in samr.Andreas Schneider2011-09-261-5/+14
| | | | | Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Mon Sep 26 19:56:04 CEST 2011 on sn-devel-104
* s3-passdb: Cleanup use of fstring and move to talloc.Simo Sorce2011-09-261-15/+37
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* s3-auth Use system boolean in auth_user_info_unixAndrew Bartlett2011-07-201-1/+1
| | | | Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3-auth Use *unix_token rather than utok in struct auth3_session_infoAndrew Bartlett2011-07-201-8/+8
| | | | | | | | | | | | | | | | This brings this structure one step closer to the struct auth_session_info. A few SMB_ASSERT calls are added in some key places to ensure that this pointer is initialised, to make tracing any bugs here easier in future. NOTE: Many of the users of this structure should be reviewed, as unix and NT access checks are mixed in a way that should just be done using the NT ACL. This patch has not changed this behaviour however. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s3: Remove some unused variablesVolker Lendecke2011-07-051-4/+0
| | | | | Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Tue Jul 5 18:40:11 CEST 2011 on sn-devel-104
* s3-samr Send IP address only to PAM remote hostname hook on password setAndrew Bartlett2011-07-041-44/+12
| | | | | | | | The previous behaviour was to attempt to do a reverse hostname lookup, where enabled. This new behaviour matches the new behaviour in the modules called by auth stack. Andrew Bartlett
* s3-samr: Replace client_id in samr server.Andreas Schneider2011-07-041-7/+72
| | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s3-param Remove special case for global_myname(), rename to lp_netbios_name()Andrew Bartlett2011-06-091-3/+3
| | | | | | | | There is no reason this can't be a normal constant string in the loadparm system, now that we have lp_set_cmdline() to handle overrides correctly. Andrew Bartlett
* s3-talloc Change TALLOC_ZERO_ARRAY() to talloc_zero_array()Andrew Bartlett2011-06-091-15/+15
| | | | | Using the standard macro makes it easier to move code into common, as TALLOC_ZERO_ARRAY isn't standard talloc.
* s3-talloc Change TALLOC_ZERO_P() to talloc_zero()Andrew Bartlett2011-06-091-14/+14
| | | | | Using the standard macro makes it easier to move code into common, as TALLOC_ZERO_P isn't standard talloc.
* s3-talloc Change TALLOC_ARRAY() to talloc_array()Andrew Bartlett2011-06-091-1/+1
| | | | | Using the standard macro makes it easier to move code into common, as TALLOC_ARRAY isn't standard talloc.
* Fix bug #7054 - X account flag does not work when pwdlastset is 0.Jeremy Allison2011-05-241-1/+10
| | | | | | | | | | | | | Don't allow pass_last_set_time to be set to zero (which means "user must change password on next logon") if user object doesn't allow password change. Don't automatically allow user object password change if "user must change password on next logon" is set. Jim please check. Jeremy.
* s3-rpc_server: run minimal_includes.pl.Günther Deschner2011-05-051-1/+0
| | | | | | | Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Thu May 5 03:04:38 CEST 2011 on sn-devel-104
* s3: include ntdomain.h before including generated srv_ headers.Günther Deschner2011-05-021-1/+1
| | | | Guenther
* s3-auth Rename user_session_key -> session_key to match auth_session_infoAndrew Bartlett2011-04-051-10/+10
|
* s3-samr: make getgrgid() failure a little more visible in ↵Günther Deschner2011-03-311-1/+1
| | | | | | | | | _samr_CreateDomAlias(). Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Thu Mar 31 01:00:42 CEST 2011 on sn-devel-104
* s3-rpc_server: move access check functions out of samr server.Günther Deschner2011-03-301-113/+1
| | | | Guenther
* s3-includes: only include ntdomain.h where needed.Günther Deschner2011-03-301-0/+1
| | | | Guenther
* s3-auth: rpc_server needs auth.hGünther Deschner2011-03-302-0/+2
| | | | Guenther
* s3-passdb: use passdb headers where needed.Günther Deschner2011-03-301-0/+2
| | | | Guenther
* s3-passdb: add passdb.h where needed.Günther Deschner2011-03-303-0/+3
| | | | Guenther
* s3-includes: only include system/filesys.h when needed.Günther Deschner2011-03-301-0/+1
| | | | Guenther
* s3-includes: only include system/passwd.h when needed.Günther Deschner2011-03-302-0/+2
| | | | Guenther
* s3-includes: only include system/terminal.h when needed.Günther Deschner2011-03-301-0/+1
| | | | Guenther
* s3-auth struct security_unix_token replaces UNIX_USER_TOKENAndrew Bartlett2011-03-011-1/+1
|
generated by cgit (git 2.34.1) at 2025-09-02 21:50:09 +0000