IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The added tests include basic validation that the script runs and accepts all
custom arguments. The tests also verify changes to the password complexity,
minimum password length, and minimum password length settings.
The testit_expect_failure() function is like the testit() function, with
reversed error detection logic. This reversal only affects the pass/fail logic
and logging - the original return code from the command is still returned to the
calling script.
This extends the PKINIT code in Heimdal to ask the HDB layer if the
User Principal Name name in the certificate is an alias (perhaps just
by case change) of the name given in the AS-REQ. (This was a TODO in
the Heimdal KDC)
The testsuite is extended to test this behaviour, and the other PKINIT
certficate (using the standard method to specify a principal name in a
certificate) is updated to use a Administrator (not administrator).
(This fixes the kinit test).
Andrew Bartlett
While it is hard to prove it is correct, at least the new
'nettestuser' principal and the Administrator principal are correct.
We had to fix the case of 'Administrator' in the selftest code to
match the DB, as the keytab lookup is case sensitive.
Andrew Bartlett
The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail
list user principal name) in an AS-REQ. Evidence from the wild
(Win2k8 reportadely) indicates that this is instead valid for all
types of requests.
While this is now handled in heimdal/kdc/misc.c, a flag is now defined
in Heimdal's hdb so that we can take over this handling in future (once we start
using a system Heimdal, and if we find out there is more to be done
here).
Andrew Bartlett
The purpose of this test is to ensure that the Kerberos credentials
cache is valid. If the username and password is specified, this
overrides the very thing we are trying to test.
Andrew Bartlett
This reads the schema from the in-memory structure, when the magic
attributes are requested. The code is a modified version of that used
in the ad2oLschema tool (now shared).
The schema_fsmo module handles the insertion of the generated result.
As such, this commit also removes these entries from the setup/schema.ldif
Metze's previous stub of this functionality is also removed.
Andrew Bartlett
(This used to be commit c7c32ec7b4)
Added a blackbox test which looks for $WINTEST_CONF_DIR,
gets configuration vars from *.conf in that dir, disables
smbwrapper, and runs RAW-OPEN torture test.
Scripts are coming to startup/shutdown vm's.
(This used to be commit 74a0a9bb54)
We should now (need to review and compare them once more) be able to
remove ldap.js (and once samba3sam.js is done, smbscript).
Andrew Bartlett
(This used to be commit f65e43e945)
Previously, the output from $cmdline was never captured. In case of a
failure, there was no output being passed to the subunit_fail_test() function,
but that function contains a call to "cat -". This caused the script to hang
indefinitely waiting for input.
We now capture $cmdline output (including mapping stderr to stdout) using
backticks, and then pipe that output to the subunit_fail_test() if there is
a failure.
(This used to be commit c0234d1319)
The problems here were that we did not bind to the LSA pipe, and we
did not consider it possible to have 0 trusted domains.
Andrew Bartlett
(This used to be commit 86694d429d)
This fixes up the python credentials interface in a number of areas,
with the aim of supporting '-k yes' as a command line option. (This
enables the use of kerberos).
As such, I've had to change the get_credentials call to take a
loadparm context, so that the credentials can be initialised
correctly.
The test_kinit script has been modified to prove that this continues
to work, as well as to provide greater code coverage of the kerberos
paths.
Andrew Bartlett
(This used to be commit 727ef40c2b)
You have to define idl, call the client function
and add a server implementation.
Then you need to compile midltests.exe
and run it, it will dump the generated NDR on the
screen.
metze
(This used to be commit dc15c88335)
Untested code is broken code, so rework the module until it passes...
It turns out that AD puts search attributes onto the wire in the
reverse order to what Samba does. This complicates exact value
matching, so this is skipped for now.
Andrew Bartlett
(This used to be commit 91bcb60d31)
incoming LDAP filter.
Warning: Any anr search will perform a full index search. Untill ldb
gets substring indexes, this is unavoidable.
Also implement a testsutie to show we match AD behaviour for this
important extension (used in the Active Directory Users and Computers
MMC plugin, as a genereral 'find').
This will also be useful to OpenChange, as their server needs to
implement this.
Andrew Bartlett
(This used to be commit 044b509472)
It appears that the control value is optional, implying type 0 responses.
Failing to parse this was causing LDAP disconnects with 'unavailable
critical extension'.
Andrew Bartlett
(This used to be commit 833dfc2f2a)
implement these in the simple ldap mapping module.
We still don't pass this test, because we must get linked attributes
into OpenLDAP.
Andrew Bartlett
(This used to be commit d41f34e979)
restrictions imposed by the samldb module.
This module is worth keeping, because when we go back to do more
extensive backend mapping, the testing of this module shows it is
still possible.
Andrew Bartlett
(This used to be commit a10d2554dc)
invalid entries with a linked attribute.
Make Samba4 pass that test, by fixing a silly bug in the
linked_attributes module. (By passing down the 'original' request
structure, tdb would override our handle, and therefore we would never
be called for the 'wait', which collects the errors).
Fix up the provision templates to handle the newly required
referential integrity.
Andrew Bartlett
(This used to be commit 0377d85bbd)
This prevents CN=test,dc=samba,dc=example,dc=com being renamed into
CN=test2,cn=test,dc=samba,dc=example,dc=com
Andrew Bartlett
(This used to be commit 958a92ed0c)
This patch is to ensure that all attributes are in the same case as
the schema specifies. In the process, I ensure that all attributes
are indeed in the schema.
This ensures we use the schema case, not the user supplied case for
future responses, which assists any (incorrect, but possible) case
sensitive processing on a client.
I've also removed more of the subtle 'schema &&' that metze objected
to in the for loops, moving to a much more explicit 'if (schema)'.
Andrew Bartlett
(This used to be commit bfc96fff06)
The aim here is to ensure that if we have
CN=Users,DC=samba,DC=example,DC=com
that we cannot have a DN of the form
cn=admin ,cn=useRS,DC=samba,DC=example,DC=com
This module pulls apart the DN, fixes up the relative DN part, and
searches for the parent to copy the base from.
I've used the objectclass module, as I intend to also validate the
placement of child objects, by reading the allowedChildClasses virtual
attribute.
In the future, I'll also force the attribute names to be consistant
(using the case from the schema).
Andrew Bartlett
(This used to be commit c0a0c69ac5)
case an oddity of the javascript caused the test to 'pass'.
For the same oddity, we have a failure in ldb's handling of spaces in
DNs. We need to resolve that too.
Andrew Bartlett
(This used to be commit e8cbac1a46)
Subclass support was designed to avoid needing to spell out the full
list of objectClasses that an entry was in. However, Samba4 now
enforces this restriction in the objectClass module, and the way
subclass matching was handled was complex and counter-intuitive in my
opinion (and did not match LDAP).
Andrew Bartlett
(This used to be commit f5ce04b904)
The module is scary: On a rename, it does a search for all entries
under that entry (including itself), and fires off a seperate rename
call for each result. This will fail miserably on an LDAP backend,
but I'll need to work on using hdb for OpenLDAP, and hope Fedora DS
can implement subtree renames at some point.
Andrew Bartlett
(This used to be commit 13908a8cb4)
to test the behaviour of objectCategory=user searches.
It turns out (thanks to a hint on
http://blog.joeware.net/2005/12/08/147/) that objectCategory=user maps
into objectCategory=CN=Person,... (by the defaultObjectCategory of
that objectclass).
Simplify the entryUUID module by using the fact that we now set the DN
as the canoncical form of objectCategory.
Andrew Bartlett
(This used to be commit b474be9507)
Computers).
We now generate a security descriptor for each object, when it is
created. This seems to keep MMC happy. The next step is to honour
it.
Andrew Bartlett
(This used to be commit 72f4ae8246)
Modify the samba3sam test to be less fussy, and not use the
objectclass module (which requires proper schema stuff now).
Andrew Bartlett
(This used to be commit 53c248c264)
on this error code, but allow both for now).
Also prove that bug #4829 needs a different solution: we can't fix
this by changing the template. I think this fix needs to be in the
SAMR server.
Andrew Bartlett
(This used to be commit c3554e3ee7)
test to prove the behaviour of LDAP renames etc.
Fix LDB to return correct error code when failing to rename one DN
onto another.
Andrew Bartlett
(This used to be commit 3f3da9c471)
dereferencing attributes.
Fix the case to match between the attributes searched for and the ejs
element. (Fixes LDAP-backend selftest)
Andrew Bartlett
(This used to be commit 51cf66bb96)
- samba3sam.js: rework the samba3sam test to not use objectCategory,
as it's has special rules (dnsName a simple match)
- ldap.js: Test the ordering of the objectClass attributes for the baseDN
- schema_init.c: Load the mayContain and mustContain (and system...) attributes when
reading the schema from ldb
- To make the schema load not suck in terms of performance, write the
schema into a static global variable
- ldif_handlers.c: Match objectCategory for equality and canonicolisation
based on the loaded schema, not simple tring manipuation
- ldb_msg.c: don't duplicate attributes when adding attributes to a list
- kludge_acl.c: return allowedAttributesEffective based on schema results
and privilages
Andrew Bartlett
(This used to be commit dcff83ebe4)
partitions onto the target LDAP server.
Make the LDAP provision run before smbd starts, then stop the LDAP
server. This ensures this occurs synchronously, We then restart it
for the 'real run' (with slapd's stdin being the FIFO).
This required fixing a few things in the provision scripts, with more
containers being created via a add/modify pair.
Andrew Bartlett
(This used to be commit 860dfa4ea1)
private dir to contain a valid machine account.
It isn't really valid it use the DC's account any more, so extend this
script to also join the domain. This nicely tests out some previously
untested code too!
Andrew Bartlett
(This used to be commit 12f4e6033e)
few authentication tests. Now that the tests correctly 'fail', I was
able to fix the credentials subsystem to honour USER and PASSWD.
To get --machine-pass working, I needed ldb to always load it's static
modules, so I put this in ldb_connect().
Andrew Bartlett
(This used to be commit 3430d8c072)
This changes the main selftest code to be in perl rather than in shell script.
The selftest script is now no longer a black box but a regular executable that takes
--help.
This adds the following features:
* "make test TESTS=foo" will run only the tests that match the regex "foo"
* ability to deal with expected failures. the suite will not warn about tests
that fail and are known to fail, but will warn about other failing tests and
tests that are succeeding tests but incorrectly marked as failing.
* ability to print a summary with all failures at the end of the run
It also opens up the way to the following features, which I hope to implement later:
* "environments", for example having a complete domains with DCs and domain members
in a testenvironment
* only set up smbd if necessary (not when running LOCAL tests, for example)
* different mktestsetup scripts per target. except for the mktestsetup script, we can
use the same infrastructure for samba 3 or windows.
(This used to be commit 38f867880b)
'phantom_root' flag in the search_options control
- Add in support for LDB controls to the js layer
- Test the behaviour
- Implement support for the 'phantom_root' flag in the partitions module
- Make the LDAP server set the 'phantom_root' flag in the search_options control
- This replaces the global_catalog flag passed down as an opaque pointer
- Rework the string-format control parsing function into
ldb_parse_control_strings(), returning errors by ldb_errorstring()
method, rather than with printf to stderr
- Rework some of the ldb_control handling logic
Andrew Bartlett
(This used to be commit 2b3df7f38d)
We were returning just true/false and discarding error number and string.
This checking probably breaks swat, will fix it in next round as swat
is what made me look into this as I had no way to get back error messages
to show to the users.
Simo.
(This used to be commit 35886b4ae6)
- use ${SCHEMADN} instead of CN=Schema,CN=Configuration,${BASEDN}
- do not include autogenerated values: instanceType, cn and name in the ldif output
- take care of the systemOnly attribute and a resulting NO-USER-MODIFICATION
metze
(This used to be commit 30a0e8b26e)
attributes to backend (remote) attributes.
We can't do a reverse mapping safely where the remote attribute may be
a source for multiple local attributes. (We end up with the wrong
attributes returned).
In doing this, I've modified the samba3sam.js test to be more
realistic, and fixed some failures in the handling of primaryGroupID.
I've added a new (private) helper function ldb_msg_remove_element() to
avoid a double lookup of the element name.
I've also re-formatted many of the function headers, to fit into
standard editor widths.
Andrew Bartlett
(This used to be commit 186766e309)
This commit extends the samba3sam test suite, which contains tests for
the samba3sam and ldb_map modules, with a lot of tests for inbound,
i.e. add, modify, rename and delete requests.
The tests each add a single record, modify it, rename it, and then
delete it, at each step checking that the operations were successful
and that the right data went into the right partitions.
They are run for an unmapped record, a mapped record with data only in
the remote partition, a mapped record with remote data that is later
modified to include local data, and a mapped record with data in both
the local and remote partitions.
It also adds a function to the backend objects that makes construction
of DNs for their respective partitions more comfortable.
Cheers,
Martin
(This used to be commit 1ddd06f24d)
this version returns also oMSyntax and oMObjectClass and also
use the right value for the objects CNs
add a nasty hack to ejs' mprLdbMessage() to handle binary blobs situations
(This used to be commit 8dd1c1c05b)
suite, which contains tests for the samba3sam and ldb_map modules,
with a lot of tests for search requests.
The tests add a small set of known records to the database, half of
them with only remote data, half of them split across the local and
remote backends, and test searching these records by DN, by attribute
and with a range of parse trees.
This suite should be extensive enough to ensure that behaviour of
search requests doesn't break.
(This used to be commit 120f7891fa)
<mkhl@samba.org>.
Martin took over the work done last year by Jelmer, in last year's
SoC. This was a substanital task, as the the ldb modules API changed
significantly during the past year, with the addition of async calls.
This changeset reimplements and enables the ldb_map ldb module and
adapts the example module and test case, both named samba3sam, to the
implementation.
The ldb_map module supports splitting an ldb database into two parts
(called the "local" and "remote" part) and storing the data in one of
them (the remote database) in a different format while the other acts
as a fallback.
This allows ldb to e.g. store to and load data from a remote LDAP
server and present it according to the Samba4 schema while still
allowing the LDAP to present and modify its data separately.
A complex example of this is the samba3sam module (by Jelmer
Vernooij), which maps data between the samba3 and samba4 schemas.
A simpler example is given by the entryUUID module (by Andrew
Bartlett), which handles some of the differences between AD and
OpenLDAP in operational attributes. It principally maps objectGUID,
to and from entryUUID elements. This is also an example of a module
that doesn't use the local backend as fallback storage.
This merge also splits the ldb_map.c file into smaller, more
manageable parts.
(This used to be commit af2bece4d3)
This confirms that records are replicated into the correct databases,
and that the case insensitive flags really work.
Andrew Bartlett
(This used to be commit ad463c1a52)
With this fix, we now correctly detect computers again, and get the
correct objectCategory, which is important for the OSX AD plugin.
Andrew Bartlett
(This used to be commit 4e39d7bb24)
This updates the module to handle both SID allocation and nextRid
updating while importing users. (As imported users already have a
SID, so don't go via the allocation step). We also ensure that SIDs
in the database are unquie at create time.
Furthermore, at allocation time, we double-check the SID isn't already
in use, and that we don't create a foriegnSecurityPrincipal for a
'local' sid.
Also create random samAccountName entries for users without one (we
were setting $000000-000000000000).
We may want to seperate the uniqueness code from the rest of samldb,
and into a module with the objectguid code, which needs similar
checks. These checks also need to apply to modification, or those
modifications denied outright.
Also update part of the testsuite to validate this.
Andrew Bartlett
(This used to be commit 7a9c8eee4b)
Doing this required reworking ejsnet, particularly so it could take a
set of credentials, not just a username and password argument.
This required fixing the ejsnet.js test script, which now adds and
deletes a user, and is run from 'make test'. This should prevent it
being broken again.
Deleting a user from ejsnet required that the matching backend be
added to libnet, hooking fortunetly onto already existing code for the
actual deletion.
The js credentials interface now handles the 'set machine account' flag.
New functions have been added to provision.js to wrap the basic
operations (so we can write a command line version, as well as the web
based version).
Andrew Bartlett
(This used to be commit a5e7c17c34)
mappings right for the attributeTypes field of the aggregate schema
now to add the display specifiers and I won't need the proxy module
any more
(This used to be commit 69264362bd)
except the attributeTypes fields of the Aggregrate record. Proxying
just that field and the display specifiers gives us a working mmc
client
hopefully i'll work out what it doesn't like about the attributeTypes
field soon
(This used to be commit 3af867a3f4)
ldap server. It's still not quite right, and I'm chasing down a few
errors that mmc throws up, but its a lot closer than it was. I had to
change the approach quite substantially over the last couple of days,
but this approach now seems to be working out.
(This used to be commit 38ea11510c)
needed to represent all the current records on a ADS LDAP server. The
idea is we will use something based on this code to work out exactly
what schema elements we will need for our initial ADS schema. I plan
on expanding this code to automatically work out attribute properties,
and write out a schema file that we can load into ldb.
Interestingly, it looks like we only need 43 objectclasses and around
200 attributes to represent all records of a newly installed w2k3 ADS
server.
(This used to be commit 7b0ae77757)
functionality. It now completely enumerates a winreg tree.
This would make a good basis for a js version of regshell if someone
felt like taking that on.
(This used to be commit 75d0cf78ec)
calls. This changes the generated RPC and IRPC calls to use the 'this'
object pointer instead of requiring the passing of the object on each
call. So typical usage is now:
var echo = echo_init();
var io = irpcObj();
status = echo.connect("ncacn_np:server");
assert(status.is_ok);
io.input.in_data = 7;
status = echo.AddOne(io);
assert(status.is_ok);
(This used to be commit f7b49ecd08)
dn: cn=foo,ou=bar
objectClass: person
implies
dn: cn=foo,ou=bar
objectClass: person
cn: foo
(as well as a pile more default attributes)
We also correct the case in the attirbute to match that in the DN
(win2k3 behaviour) and I have a testsuite (in ejs) to prove it.
This module also found a bug in our provision.ldif, so and reduces
code complexity in the samdb module.
Andrew Bartlett
(This used to be commit 0cc58f5c3c)
into an object. To keep existing code working I have added:
string_init(global);
into base.js. That brings the functions into the global scope for our
existing scripts
(This used to be commit a978484738)
a 'db' variable around. The ldb object knows what it is connected to.
Added a simple ldb testsuite in testprogs/ldb.js
(This used to be commit cf35818648)
means we don't pollute the name space, and also makes for faster
startup times as we only create variables for the pipes that we use,
not all pipes
(This used to be commit 57d7a585e8)
var ldb = ldb_init();
res = ldb.search(dbfile, "(objectClass=user)");
you can also do:
ldbSearch = ldb.search;
res = ldbSearch(dbfile, "(objectClass=user)");
if you want the old interface (ie. you can use this to import
functions into the global or local namespace).
(This used to be commit 3093057d97)
This is a demo script that shows the nbt server statistics. For example:
nbt_server statistics:
total_received: 185
total_sent: 59
query_count: 13
release_count: 21
register_count: 7
(This used to be commit cd1ea857ce)
information from QueryUserInfo for all users in the domain.
If you want to see why I am putting the effort into ejs, then please
read swat/scripting/samr.js, and compare it to other methods of rpc
access for our web management interface. Using ejs like this will make
building a rich interface _much_ easier.
(This used to be commit eb354f6da7)
calls from js. I chose the new syntax to match the C calling syntax,
so if you are familiar with using the Samba4 rpc libraries from C,
then using them from js should be easy
(This used to be commit 757bb7f31c)
- Define __PIDL__ when preprocessing IDL files.
- Remove a couple of useless defines from rpcecho.idl
rpcecho.idl now works in both pidl and midl
(althought pidl is a bit pedantic and gives two warnings)
(This used to be commit 6731e0a654)