14 years agor5100: We should only care about case-sensitivity when *reading* an incoming
Jeremy Allison [Sun, 30 Jan 2005 00:36:19 +0000 (00:36 +0000)]
r5100: We should only care about case-sensitivity when *reading* an incoming
filename, not returning one. Makes us pass one more Samba4 RAW-SEARCH test.

14 years agor5098: Next round build-fixing
Volker Lendecke [Sat, 29 Jan 2005 10:05:46 +0000 (10:05 +0000)]
r5098: Next round build-fixing

14 years agor5096: Attempt to fix the build
Volker Lendecke [Sat, 29 Jan 2005 09:38:15 +0000 (09:38 +0000)]
r5096: Attempt to fix the build

14 years agor5082: Don't blindly copy question rr_type and class, set correctly as required
Jeremy Allison [Sat, 29 Jan 2005 02:49:01 +0000 (02:49 +0000)]
r5082: Don't blindly copy question rr_type and class, set correctly as required
by rfc1002.

14 years agor5077: Use correct type for rr record on negative name query reply.
Jeremy Allison [Sat, 29 Jan 2005 02:18:01 +0000 (02:18 +0000)]
r5077: Use correct type for rr record on negative name query reply.

14 years agor5076: Ensure that WINS negative name query responses and WACK packets
Jeremy Allison [Sat, 29 Jan 2005 02:03:46 +0000 (02:03 +0000)]
r5076: Ensure that WINS negative name query responses and WACK packets
use the correct RR type of 0xA instead of reflecting back what
the query RR type was (0x20). See rfc1002 sections 4.2.14 and

14 years agor5069: Ensure we return the correct errors for old-style search requests.
Jeremy Allison [Fri, 28 Jan 2005 23:17:12 +0000 (23:17 +0000)]
r5069: Ensure we return the correct errors for old-style search requests.

14 years agor5066: A couple of small fixes from James Peach @ SGI.
Jeremy Allison [Fri, 28 Jan 2005 21:55:45 +0000 (21:55 +0000)]
r5066: A couple of small fixes from James Peach @ SGI.

14 years agor5063: Shamelessly steal the Samba4 logic (and some code :-) for directory
Jeremy Allison [Fri, 28 Jan 2005 21:01:58 +0000 (21:01 +0000)]
r5063: Shamelessly steal the Samba4 logic (and some code :-) for directory
evaluation. This stops us from reading the entire directory into
memory at one go, and allows partial reads. It also keeps almost
the same interface to the OpenDir/ReadDir etc. code (sorry James :-).
Next I will optimise the findfirst with exact match code. This speeds
up our interactive response for large directories, but not when a
missing (ie. negative) findfirst is done.

14 years agor5060: BUG 2286: fix typoe on sambaConfig oc definition
Gerald Carter [Fri, 28 Jan 2005 17:36:41 +0000 (17:36 +0000)]
r5060: BUG 2286: fix typoe on sambaConfig oc definition

14 years agor5058: Due to the fragileness how windows reacts on unmapped sids sometimes,
Günther Deschner [Fri, 28 Jan 2005 17:05:55 +0000 (17:05 +0000)]
r5058: Due to the fragileness how windows reacts on unmapped sids sometimes,
don't leave administator-sid unmapped. Simply return "Administrator"


14 years agor5056: * correct STANDARD_RIGHTS_WRITE_ACCESS bitmask define
Gerald Carter [Fri, 28 Jan 2005 16:55:09 +0000 (16:55 +0000)]
r5056: * correct STANDARD_RIGHTS_WRITE_ACCESS bitmask define
* make sure to apply the rights_mask and not just the saved
  bits from the mask in access_check_samr_object()
* allow root to grant/revoke privileges (in addition to Domain
  Admins) as suggested by Volker.

Tested machine joins from XP, 2K, and NT4 with and without
pre-existing machine trust accounts.  Also tested basic file
operations using cmd.exe and explorer.exe after changing the

14 years agor5046: mark 'winbind enable local accounts' and testprns as depcrecated
Gerald Carter [Thu, 27 Jan 2005 15:13:16 +0000 (15:13 +0000)]
r5046: mark 'winbind enable local accounts' and testprns as depcrecated

14 years agor5029: after talking to Rob, ensure that we set the NETIOSNAME.domainname
Gerald Carter [Thu, 27 Jan 2005 02:56:18 +0000 (02:56 +0000)]
r5029: after talking to Rob, ensure that we set the NETIOSNAME.domainname
as the longname in the published printer information since this
is what we will have used when we joined the domain.

More testing on this tomorrow.

14 years agor5028: * check acb_info mask in _samr_create_user instead of the last character
Gerald Carter [Thu, 27 Jan 2005 02:16:02 +0000 (02:16 +0000)]
r5028: * check acb_info mask in _samr_create_user instead of the last character
  of the user name
* fix some access_mask checks in _samr_set_userinfo2 (getting join from
  XP without being a member of domain admins working)

14 years agor5020: bumping the 3.0 tree to 3.0.12pre1 since there will not be a full sync for...
Gerald Carter [Wed, 26 Jan 2005 20:48:21 +0000 (20:48 +0000)]
r5020: bumping the 3.0 tree to 3.0.12pre1 since there will not be a full sync for the 3.0.11rc1 release

14 years agor5015: (based on abartlet's original patch to restrict password changes)
Gerald Carter [Wed, 26 Jan 2005 20:36:44 +0000 (20:36 +0000)]
r5015: (based on abartlet's original patch to restrict password changes)

* added SE_PRIV checks to access_check_samr_object() in order
  to deal with the run-time security descriptor and their
  interaction with user rights

* Reordered original patch in _samr_set_userinfo[2] to still
  allow root/administrative password changes for users and machines.

14 years agor5014: Split out the request to send an async level II oplock break into a
Jeremy Allison [Wed, 26 Jan 2005 20:01:21 +0000 (20:01 +0000)]
r5014: Split out the request to send an async level II oplock break into a
new function to make it clear when it's called. Remove async parameter
that had been overloaded into request_oplock_break.
Inspired by work from Nadav Danieli <>.

14 years agor5012: fix segfault caused by using a ipp_t * after calling cupsDoRequest()
Gerald Carter [Wed, 26 Jan 2005 14:46:54 +0000 (14:46 +0000)]
r5012: fix segfault caused by using a ipp_t * after calling cupsDoRequest()

14 years agor5002: Ensure we can't remove a level II oplock without having the
Jeremy Allison [Wed, 26 Jan 2005 00:13:15 +0000 (00:13 +0000)]
r5002: Ensure we can't remove a level II oplock without having the
shared memory area locked. This need to be in 3.0.11. Pointed
out by Nadav Danieli <>.

14 years agor5000: 5000th post! w00tsvn diffsvn diff :-)
Gerald Carter [Tue, 25 Jan 2005 23:34:39 +0000 (23:34 +0000)]
r5000: 5000th post! w00tsvn diffsvn diff :-)

14 years agor4996: sync up copytights with trunk
Gerald Carter [Tue, 25 Jan 2005 23:33:18 +0000 (23:33 +0000)]
r4996: sync up copytights with trunk

14 years agor4995: fail set_privileges() if 'enable privileges = no' to prevent confused admins...
Gerald Carter [Tue, 25 Jan 2005 23:32:19 +0000 (23:32 +0000)]
r4995: fail set_privileges() if 'enable privileges = no' to prevent confused admins who never read what I write :-)

14 years agor4994: Patch from abartlet:
Günther Deschner [Tue, 25 Jan 2005 23:30:05 +0000 (23:30 +0000)]
r4994: Patch from abartlet:

When migrating account policies to ldapsam, handle the fact that an
admin might have changed the default location of the sambaDomain-object
after installation.


14 years agor4989: Display failed LDAP-server-uri.
Günther Deschner [Tue, 25 Jan 2005 20:36:24 +0000 (20:36 +0000)]
r4989: Display failed LDAP-server-uri.


14 years agor4988: After speaking with Jerry, remove old lp_admin_users to
Günther Deschner [Tue, 25 Jan 2005 19:56:01 +0000 (19:56 +0000)]
r4988: After speaking with Jerry, remove old lp_admin_users to
administrator-sid mapping completely.


14 years agor4976: Try to scare people off from trying to write authentication modules
Andrew Bartlett [Tue, 25 Jan 2005 02:58:31 +0000 (02:58 +0000)]
r4976: Try to scare people off from trying to write authentication modules
that only acheive as much as 'security=server' does.

Andrew Bartlett

14 years agor4972: Fix a warning and some debugging-outputs.
Günther Deschner [Tue, 25 Jan 2005 01:19:02 +0000 (01:19 +0000)]
r4972: Fix a warning and some debugging-outputs.


14 years agor4970: Fix for bug 2092, allowing fallback after kerberos and allow
Jeremy Allison [Mon, 24 Jan 2005 20:21:15 +0000 (20:21 +0000)]
r4970: Fix for bug 2092, allowing fallback after kerberos and allow
gnome vfs to prevent auto-anonymous logon.

14 years agor4967: Not being in any domain local groups is obviously valid...
Volker Lendecke [Mon, 24 Jan 2005 19:33:20 +0000 (19:33 +0000)]
r4967: Not being in any domain local groups is obviously valid...


14 years agor4966: don't enumerate the drivers for the same architecture string more than once
Gerald Carter [Mon, 24 Jan 2005 18:42:33 +0000 (18:42 +0000)]
r4966: don't enumerate the drivers for the same architecture string more than once

14 years agor4965: comment out some unused attributes and oc's
Gerald Carter [Mon, 24 Jan 2005 17:42:19 +0000 (17:42 +0000)]
r4965: comment out some unused attributes and oc's

14 years agor4964: Fix our lsa lookupsid $OURDOMAINSID-500.
Günther Deschner [Mon, 24 Jan 2005 17:29:12 +0000 (17:29 +0000)]
r4964: Fix our lsa lookupsid $OURDOMAINSID-500.

Give the admin-user (rid 500) a chance to be found in passdb, not
returning the (possibly obscure) first entry of "admin users" before


14 years agor4963: It is actually a very bad idea to use KRB5_CONFIG in the
Günther Deschner [Mon, 24 Jan 2005 16:30:46 +0000 (16:30 +0000)]
r4963: It is actually a very bad idea to use KRB5_CONFIG in the
configure-checks (At least Heimdal uses KRB5_CONFIG for locating it's
configuration-file (usually /etc/krb5.conf)). Renaming it to KRB5CONFIG
prevents configure-checks that use heimdal-libs from segfaulting while
the lib reads the krb5-config binary as a configuration file...

Vendors that used the KRB5_CONFIG-variable to let configure find a
custom krb5-config binary have to use KRB5CONFIG now.


14 years agor4946: Our notion the other_sids in the info3 SamLogon struct was
Volker Lendecke [Sun, 23 Jan 2005 14:10:57 +0000 (14:10 +0000)]
r4946: Our notion the other_sids in the info3 SamLogon struct was
...hmmm... completely bogus. This does not affect us as a domain controller,
as we never set other_sids, but I have *no* idea how winbind got away with it.

Please review thoroughly, samba4 idl looks closer to reality here.

Test case: Member of w2k3 domain, authenticate as a user who is member of one
or more domain local groups. Easiest review with 'client schannel = no'.



14 years agor4933: List not only the first 10 trusts with rpcclient -c enumtrust.
Volker Lendecke [Sat, 22 Jan 2005 17:12:19 +0000 (17:12 +0000)]
r4933: List not only the first 10 trusts with rpcclient -c enumtrust.


14 years agor4932: Forgot to increase version with the account-policy-commit.
Günther Deschner [Sat, 22 Jan 2005 12:02:13 +0000 (12:02 +0000)]
r4932: Forgot to increase version with the account-policy-commit.


14 years agor4931: Add get_user_info_7 in SAMR. This just gives out the username. (In
Günther Deschner [Sat, 22 Jan 2005 11:26:13 +0000 (11:26 +0000)]
r4931: Add get_user_info_7 in SAMR. This just gives out the username. (In
preparation of adding the ability of renaming users via setuserinfo
level 7).


14 years agor4926: Use LDAP_SCOPE_ONELEVEL instead of OpenLDAP's LDAP_SCOPE_ONE-scope.
Günther Deschner [Sat, 22 Jan 2005 04:09:21 +0000 (04:09 +0000)]
r4926: Use LDAP_SCOPE_ONELEVEL instead of OpenLDAP's LDAP_SCOPE_ONE-scope.


14 years agor4925: Migrate Account Policies to passdb (esp. replicating ldapsam).
Günther Deschner [Sat, 22 Jan 2005 03:37:09 +0000 (03:37 +0000)]
r4925: Migrate Account Policies to passdb (esp. replicating ldapsam).

Does automated migration from account_policy.tdb v1 and v2 and offers a
pdbedit-Migration interface. Jerry, please feel free to revert that if
you have other plans.


14 years agor4921: Typo.
Jeremy Allison [Sat, 22 Jan 2005 01:38:42 +0000 (01:38 +0000)]
r4921: Typo.

14 years agor4917: Merge some of obvious fixes.
Jeremy Allison [Sat, 22 Jan 2005 01:22:39 +0000 (01:22 +0000)]
r4917: Merge some of obvious fixes.
Added text explaining units in pdbedit time fields.

14 years agor4913: fixing 'perl requires' filters for RPM packaging on RedHat/Fedora
Gerald Carter [Fri, 21 Jan 2005 23:06:27 +0000 (23:06 +0000)]
r4913: fixing 'perl requires' filters for RPM packaging on RedHat/Fedora

14 years agor4907: remove unreached code
Gerald Carter [Fri, 21 Jan 2005 19:09:51 +0000 (19:09 +0000)]
r4907: remove unreached code

14 years agor4905: patch from abartlet to remove storing the auth-user credentials from the cli...
Gerald Carter [Fri, 21 Jan 2005 19:08:17 +0000 (19:08 +0000)]
r4905: patch from abartlet to remove storing the auth-user credentials from the cli* in cm_prepare_connection().  using credentials from a domain other thanour primary domain will cause the schannel setup to fail

14 years agor4902: please note that cupsDoRequest() deletes the request* so don't call ippDelete...
Gerald Carter [Fri, 21 Jan 2005 18:14:31 +0000 (18:14 +0000)]
r4902: please note that cupsDoRequest() deletes the request* so don't call ippDelete(request) *ever*

14 years agor4882: Fix for #2255. Debug should have been 10 not 0.
Jeremy Allison [Fri, 21 Jan 2005 01:42:45 +0000 (01:42 +0000)]
r4882: Fix for #2255. Debug should have been 10 not 0.

14 years agor4881: Varient of Lar's patch for #2270. Jerry promises to test :-).
Jeremy Allison [Fri, 21 Jan 2005 00:29:38 +0000 (00:29 +0000)]
r4881: Varient of Lar's patch for #2270. Jerry promises to test :-).

14 years agor4879: Fix rewinddir -> rewind_dir. Noticed by James Peach.
Jeremy Allison [Thu, 20 Jan 2005 22:42:08 +0000 (22:42 +0000)]
r4879: Fix rewinddir -> rewind_dir. Noticed by James Peach.

14 years agor4877: When vampiring account policy AP_LOCK_ACCOUNT_DURATION honour "Lockout
Günther Deschner [Thu, 20 Jan 2005 21:42:05 +0000 (21:42 +0000)]
r4877: When vampiring account policy AP_LOCK_ACCOUNT_DURATION honour "Lockout
Duration: Forever".


14 years agor4875: Fix for bugid #221, inspired by Mrinal Kalakrishnan <>.
Jeremy Allison [Thu, 20 Jan 2005 18:31:11 +0000 (18:31 +0000)]
r4875: Fix for bugid #221, inspired by Mrinal Kalakrishnan <>.
NT sometimes send garbage bytes in NT security descriptor linearizations
when sending well-known sids. Cope with these.

14 years agor4874: add DOmain Admins (Full Control) to the default printer sd if we are a DC
Gerald Carter [Thu, 20 Jan 2005 17:42:15 +0000 (17:42 +0000)]
r4874: add DOmain Admins (Full Control) to the default printer sd if we are a DC

14 years agor4873: example delete printer script for use with cups
Gerald Carter [Thu, 20 Jan 2005 17:17:29 +0000 (17:17 +0000)]
r4873: example delete printer script for use with cups

14 years agor4871: BUG 603: patch by Daniel Beschorner <>. Correct access mask...
Gerald Carter [Thu, 20 Jan 2005 17:05:10 +0000 (17:05 +0000)]
r4871: BUG 603: patch by Daniel Beschorner <>.  Correct access mask check for _samr_lookup_domain() to work with Windows RAS server

14 years agor4870: Make multi-domain-mode in idmap_rid accessible from outside (can be
Günther Deschner [Thu, 20 Jan 2005 17:04:16 +0000 (17:04 +0000)]
r4870: Make multi-domain-mode in idmap_rid accessible from outside (can be
compiled with -DIDMAP_RID_SUPPORT_TRUSTED_DOMAINS) as requested by Lars
Mueller <>.

Allow to map ID's for a local SAM and add some more


14 years agor4869: Display sam_user_info_7 in rpcclient.
Günther Deschner [Thu, 20 Jan 2005 16:55:55 +0000 (16:55 +0000)]
r4869: Display sam_user_info_7 in rpcclient.


14 years agor4868: Add "net rpc user RENAME"-command.
Günther Deschner [Thu, 20 Jan 2005 16:51:24 +0000 (16:51 +0000)]
r4868: Add "net rpc user RENAME"-command.

Note that Samba3 does not yet support it server-side.


14 years agor4867: Removing smbldap-tools from the svn tree. I'll include
Gerald Carter [Thu, 20 Jan 2005 16:31:42 +0000 (16:31 +0000)]
r4867: Removing smbldap-tools from the svn tree.  I'll include
the latest version in the actual release tarballs.
Have spoken to the idealx developers about this.

Updated README to reflect the changte for people using svn.

Removed since it is no longer needed when using
the smbldap-tools (only keep things you support).

14 years agor4866: Add createdomgroup to rpcclient (needed to generate huge amounts of
Günther Deschner [Thu, 20 Jan 2005 13:49:34 +0000 (13:49 +0000)]
r4866: Add createdomgroup to rpcclient (needed to generate huge amounts of
groups when 'net rpc group add' is just to slow).


14 years agor4864: Remove unused var.
Jeremy Allison [Thu, 20 Jan 2005 01:19:57 +0000 (01:19 +0000)]
r4864: Remove unused var.

14 years agor4860: fix silly limitation in ldapsam and tdbsam. Expand variables in the profile...
Gerald Carter [Wed, 19 Jan 2005 22:50:27 +0000 (22:50 +0000)]
r4860: fix silly limitation in ldapsam and tdbsam.  Expand variables in the profile path, logon home and logon script values

14 years agor4856: after testing a simple add printer script, i realized that you still have...
Gerald Carter [Wed, 19 Jan 2005 21:10:56 +0000 (21:10 +0000)]
r4856: after testing a simple add printer script, i realized that you still have to be root to send the message to all smbds that the config file has been updated

14 years agor4855: add some smb.conf script for add/delete/change share and addprinter hooks
Gerald Carter [Wed, 19 Jan 2005 20:44:00 +0000 (20:44 +0000)]
r4855: add some smb.conf script for add/delete/change share and addprinter hooks

14 years agor4852: merge simo changes to srv_srvsvc_nt.c from trunk
Gerald Carter [Wed, 19 Jan 2005 18:28:55 +0000 (18:28 +0000)]
r4852: merge simo changes to srv_srvsvc_nt.c from trunk
that allows the add/change share command to create the directory
passed in as an arguement and not require that it pre-exist.

Also finish testing of SeDiskOperatorPrivilege via srvmgr.exe

14 years agor4851: Preleminary fix for ldapsam_enum_group_memberships when
Günther Deschner [Wed, 19 Jan 2005 17:42:33 +0000 (17:42 +0000)]
r4851: Preleminary fix for ldapsam_enum_group_memberships when
ldapsam:trusted=True. Don't bail out when ldap-search returns pure
posixgroups (w.o. samba group-mapping).

This way those unix-memberships do not appear in user and nt user token.
Volker, could you please look over that one?


14 years agor4850: Fix remaining pdb_setsampwent-calls.
Günther Deschner [Wed, 19 Jan 2005 17:08:36 +0000 (17:08 +0000)]
r4850: Fix remaining pdb_setsampwent-calls.
To get all entries use a 0 acb_mask.


14 years agor4849: * finish SeAddUsers support in srv_samr_nt.c
Gerald Carter [Wed, 19 Jan 2005 16:52:19 +0000 (16:52 +0000)]
r4849: * finish SeAddUsers support in srv_samr_nt.c
* define some const SE_PRIV structure for use when
  you need a SE_PRIV* to a privilege
* fix an annoying compiler warngin in smbfilter.c
* translate SIDs to names in 'net rpc rights list accounts'
* fix a seg fault in cli_lsa_enum_account_rights caused by
  me forgetting the precedence of * vs. []

14 years agor4848: fix build; gd please check and make sure this is ok
Gerald Carter [Wed, 19 Jan 2005 16:44:53 +0000 (16:44 +0000)]
r4848: fix build; gd please check and make sure this is ok

14 years agor4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries().
Günther Deschner [Wed, 19 Jan 2005 16:13:26 +0000 (16:13 +0000)]
r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries().

This allows the ldap-backend to search much more effeciently. Machines
will be searched in the ldap_machine_suffix and users in the
ldap_users_suffix. (Note that we already use the ldap_group_suffix in
ldapsam_setsamgrent for quite some time).

Using the specific ldap-bases becomes notably important in large
domains: On my testmachine "net rpc trustdom list" has to search through
40k accounts just to list 3 interdomain-trust-accounts, similiar effects
show up the non-user query_dispinfo-calls, etc.

Also renamed all_machines to only_machines in load_sampwd_entries()
since that reflects better what is really meant.


14 years agor4846: do not keep outdated files here.
Simo Sorce [Wed, 19 Jan 2005 16:09:59 +0000 (16:09 +0000)]
r4846: do not keep outdated files here.
the updated file is in the Release branch and in the official tarballs

14 years agor4845: Correct my name.
Simo Sorce [Wed, 19 Jan 2005 15:04:56 +0000 (15:04 +0000)]
r4845: Correct my name.
Jerry this file seem old and not updated.
We should either update it or remove it imho.


14 years agor4840: * Add more generic root-dse inspection function to check for given
Günther Deschner [Wed, 19 Jan 2005 09:58:29 +0000 (09:58 +0000)]
r4840: * Add more generic root-dse inspection function to check for given
controls or extensions.
* Check and remember if ldapsam's LDAP Server support paged results
(in preparation of adding async paged-results to set|get|end-sampwent in


14 years agor4839: Allow to set acb_mask in rpcclient's enumdomusers (for debugging).
Günther Deschner [Wed, 19 Jan 2005 09:36:27 +0000 (09:36 +0000)]
r4839: Allow to set acb_mask in rpcclient's enumdomusers (for debugging).


14 years agor4830: Fix for problem noticed by Guy Harris <>, return
Jeremy Allison [Tue, 18 Jan 2005 22:40:49 +0000 (22:40 +0000)]
r4830: Fix for problem noticed by Guy Harris <>, return
correct DOS/NT error code on transact named pipe on closed pipe

14 years agor4827: add 'net rpc rights list accounts' & update help text
Gerald Carter [Tue, 18 Jan 2005 20:51:06 +0000 (20:51 +0000)]
r4827: add 'net rpc rights list accounts' & update help text

14 years agor4825: Printing changes
Gerald Carter [Tue, 18 Jan 2005 19:51:36 +0000 (19:51 +0000)]
r4825: Printing changes

* bracket the add/delete/set printer scripts with checks for se_print_op
* slight change to the add/set printer script semantics.  smbd no longer
  relies on output from the script (on stdout) to re-read smb.conf
* remove SIGHUP from set/add/delete printin script code and now just

* bracket the add/delete/set share scripts with checks for se_print_op
  (this includes setting share ACLs)

14 years agor4824: wrap the shutdown and abort_shutdown calls in check for the SE_REMOTE_SHUTDOWN...
Gerald Carter [Tue, 18 Jan 2005 18:30:32 +0000 (18:30 +0000)]
r4824: wrap the shutdown and abort_shutdown calls in check for the SE_REMOTE_SHUTDOWN privilege

14 years agor4823: remove -O1 from --with-developer
Gerald Carter [Tue, 18 Jan 2005 18:29:55 +0000 (18:29 +0000)]
r4823: remove -O1 from --with-developer

14 years agor4822: fix return code when you ask for a non-privileged SID via one of the privilege...
Gerald Carter [Tue, 18 Jan 2005 18:29:28 +0000 (18:29 +0000)]
r4822: fix return code when you ask for a non-privileged SID via one of the privileges RPC calls

14 years agor4821: finish off 'net rpc rights [list|grant|revoke]'
Gerald Carter [Tue, 18 Jan 2005 18:28:34 +0000 (18:28 +0000)]
r4821: finish off 'net rpc rights [list|grant|revoke]'
one small todo item is to add a 'accounts' sub option
to 'net rpc list' so enumerate all privileged SIDs
and their associated rights.

14 years agor4820: add beginnings of 'net rpc rights' for managing privilege assignments
Gerald Carter [Tue, 18 Jan 2005 14:46:24 +0000 (14:46 +0000)]
r4820: add beginnings of 'net rpc rights' for managing privilege assignments

14 years agor4809: * include SeDiskOperatorPrivilege and SeRemoteShutdownPrivilege
Gerald Carter [Mon, 17 Jan 2005 20:27:29 +0000 (20:27 +0000)]
r4809: * include SeDiskOperatorPrivilege and SeRemoteShutdownPrivilege
  (noty enfornced yet though)
* add 'enable privileges (off by default) to control whether or
  not any privuleges can be assigned to SIDs

14 years agor4805: Last planned change to the privileges infrastructure:
Gerald Carter [Mon, 17 Jan 2005 15:23:11 +0000 (15:23 +0000)]
r4805: Last planned change to the privileges infrastructure:

* rewrote the tdb layout of privilege records in account_pol.tdb
  (allow for 128 bits instead of 32 bit flags)
* migrated to using SE_PRIV structure instead of the PRIVILEGE_SET
  structure.  The latter is now used for parsing routines mainly.

Still need to incorporate some client support into 'net' so
for setting privileges.  And make use of the SeAddUserPrivilege

14 years agor4802: Don't try to update a column with the name "NULL"
Jelmer Vernooij [Mon, 17 Jan 2005 14:25:58 +0000 (14:25 +0000)]
r4802: Don't try to update a column with the name "NULL"

14 years agor4788: Don't log mysql password at debug level 1.
Jelmer Vernooij [Sun, 16 Jan 2005 23:09:56 +0000 (23:09 +0000)]
r4788: Don't log mysql password at debug level 1.

14 years agor4760: Make wbinfo --user-sids expand domain local groups. Andrew B., my testing
Volker Lendecke [Sat, 15 Jan 2005 19:00:18 +0000 (19:00 +0000)]
r4760: Make wbinfo --user-sids expand domain local groups. Andrew B., my testing
shows that this info is correctly returned to us in to info3 struct, so
check_info3_in_group does not need to be adapted.


14 years agor4751: This is a domain policy, not a user one
Volker Lendecke [Sat, 15 Jan 2005 09:26:21 +0000 (09:26 +0000)]
r4751: This is a domain policy, not a user one

14 years agor4750: Fix cli_samr_queryuseraliases. There can be more than one sid, thus more than
Volker Lendecke [Sat, 15 Jan 2005 09:15:28 +0000 (09:15 +0000)]
r4750: Fix cli_samr_queryuseraliases. There can be more than one sid, thus more than
one pointer...


14 years agor4749: Fix memleak
Volker Lendecke [Sat, 15 Jan 2005 09:10:47 +0000 (09:10 +0000)]
r4749: Fix memleak

14 years agor4746: add server support for lsa_enum_acct_rights(); last checkin for the night
Gerald Carter [Sat, 15 Jan 2005 03:54:03 +0000 (03:54 +0000)]
r4746: add server support for lsa_enum_acct_rights(); last checkin for the night

14 years agor4742: add server support for lsa_add/remove_account_rights() and fix some parsing...
Gerald Carter [Sat, 15 Jan 2005 02:20:30 +0000 (02:20 +0000)]
r4742: add server support for lsa_add/remove_account_rights() and fix some parsing bugs related to that code

14 years agor4740: allow SE_PRINT_OPERATORS to have printer admin access
Gerald Carter [Fri, 14 Jan 2005 21:24:15 +0000 (21:24 +0000)]
r4740: allow SE_PRINT_OPERATORS to have printer admin access

14 years agor4739: require membership in Domain Admins to be able to set privileges
Gerald Carter [Fri, 14 Jan 2005 21:05:54 +0000 (21:05 +0000)]
r4739: require membership in Domain Admins to be able to set privileges

14 years agor4738: Fix for bug #2238 - memory leak in shadow copy vfs.
Jeremy Allison [Fri, 14 Jan 2005 20:23:22 +0000 (20:23 +0000)]
r4738: Fix for bug #2238 - memory leak in shadow copy vfs.

14 years agor4736: small set of merges from rtunk to minimize the diffs
Gerald Carter [Fri, 14 Jan 2005 19:26:13 +0000 (19:26 +0000)]
r4736: small set of merges from rtunk to minimize the diffs

14 years agor4732: Even if we have 'password server' set, we need to look up the native DC name
Volker Lendecke [Fri, 14 Jan 2005 12:17:18 +0000 (12:17 +0000)]
r4732: Even if we have 'password server' set, we need to look up the native DC name
via netbios, as the user might have set an IP address or a fqdn.


14 years agor4731: Fix the build
Volker Lendecke [Fri, 14 Jan 2005 08:14:22 +0000 (08:14 +0000)]
r4731: Fix the build

14 years agor4724: Add support for Windows privileges in Samba 3.0
Gerald Carter [Thu, 13 Jan 2005 18:20:37 +0000 (18:20 +0000)]
r4724: Add support for Windows privileges in Samba 3.0
(based on Simo's code in trunk).  Rewritten with the
following changes:

* privilege set is based on a 32-bit mask instead of strings
  (plans are to extend this to a 64 or 128-bit mask before
   the next 3.0.11preX release).
* Remove the privilege code from the passdb API
  (replication to come later)
* Only support the minimum amount of privileges that make
* Rewrite the domain join checks to use the SeMachineAccountPrivilege
  instead of the 'is a member of "Domain Admins"?' check that started
  all this.

Still todo:

* Utilize the SePrintOperatorPrivilege in addition to the 'printer admin'
* Utilize the SeAddUserPrivilege for adding users and groups
* Fix some of the hard coded _lsa_*() calls
* Start work on enough of SAM replication to get privileges from one
  Samba DC to another.
* Come up with some management tool for manipultaing privileges
  instead of user manager since it is buggy when run on a 2k client
  (haven't tried xp).  Works ok on NT4.

14 years agor4704: Fix encoding while receiving of a message which was actually sent using STR_AS...
Alexander Bokovoy [Wed, 12 Jan 2005 09:54:50 +0000 (09:54 +0000)]
r4704: Fix encoding while receiving of a message which was actually sent using STR_ASCII. Patch from Grigory Batalov <>

14 years agor4697: Fix for bug #2231 inspired by
Jeremy Allison [Wed, 12 Jan 2005 01:25:14 +0000 (01:25 +0000)]
r4697: Fix for bug #2231 inspired by
Remove double "\\" from findfirst.