sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-12 09:18:10 +03:00
Code
68,344 Commits 60 Branches 1,145 Tags 452 MiB
095c8b2078
Commit Graph

2397 Commits

Author SHA1 Message Date
Andrew Bartlett
f03913e2cc s4-kerberos Move 'set key into keytab' code out of credentials. 
This code never really belonged in the credentials layer, and
is easier done with direct access to the ldb_message that is
in secrets.ldb.

Andrew Bartlett
 2010-09-24 09:25:44 +10:00
Matthias Dieter Wallnöfer
964f992779 s4:repl_meta_data - also on delete operations the new RDN attribute has to be casefolded correctly 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:43 +10:00
Matthias Dieter Wallnöfer
30afa65785 s4:lazy_commit LDB module - the "show_deleted" control is initialised by the "show_deleted" LDB module 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:43 +10:00
Matthias Dieter Wallnöfer
29e3806b0e s4:rootdse LDB module - make use of "dsdb_forest_functional_level" 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:43 +10:00
Matthias Dieter Wallnöfer
9123bcbf77 s4:ldap.py - add tests for the "dsServiceName", "serverName", "dnsHostName" and "ldapServiceName" rootDSE attributes 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:43 +10:00
Matthias Dieter Wallnöfer
1d9a348144 s4:rootdse LDB module - introduce dynamic "ldapServiceName" 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:43 +10:00
Matthias Dieter Wallnöfer
681106af4f s4:rootdse LDB module - introduce dynamic "dnsHostName" attribute 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:43 +10:00
Matthias Dieter Wallnöfer
5fd7bc8564 s4:rootdse LDB module - make "serverName" dynamic 
This helps to fix bug #7347. "dsServiceName" cannot be made dynamic in such a
simple way since it's already needed on LDB initialisation time.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:43 +10:00
Matthias Dieter Wallnöfer
e446ef1c3f s4:rootdse LDB module - remove "priv" checks where not needed 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:42 +10:00
Matthias Dieter Wallnöfer
f1535694f7 s4:rootdse LDB module - better that the "edn" control handling is done last 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:42 +10:00
Matthias Dieter Wallnöfer
679eb33e79 s4:samldb LDB module - it isn't allowed to create user/computer accounts with a primary group specified 
It can only be changed afterwards. We allow a "relax"ed exception for the
provision state since we need this for the guest account.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:42 +10:00
Matthias Dieter Wallnöfer
2e913994f2 s4:dsdb/common/util_samr.c - remove the primary group specifications 
Now also the primary group detection/change on modify operations does work

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:42 +10:00
Matthias Dieter Wallnöfer
c03ec03212 s4:ldap.py - test default primary groups on modify operations 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:42 +10:00
Matthias Dieter Wallnöfer
f46c6233e7 s4:samldb LDB module - support the "userAccountControl" -> "primaryGroupID" detection also on modify operations 
Also requested by MS-SAMR 3.1.1.8.1.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:42 +10:00
Matthias Dieter Wallnöfer
72bb8c3fb3 s4:ldap.py - enhance SAM user/groups behaviour test regarding default primary groups 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:42 +10:00
Matthias Dieter Wallnöfer
f84724cebc s4:rootdse LDB module - make more use of LDB result constants 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:41 +10:00
Matthias Dieter Wallnöfer
08298457d4 s4:rootdse LDB module - fix comment typo 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:41 +10:00
Matthias Dieter Wallnöfer
7a1a0cde2e s4:password_hash LDB module - don't assign "lp_ctx" twice 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:41 +10:00
Matthias Dieter Wallnöfer
e59cdaf40e s4:rootdse LDB module - fix counter types 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:41 +10:00
Matthias Dieter Wallnöfer
1a1be71eb8 s4:extended_dn_in LDB module - fix a counter type 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:41 +10:00
Matthias Dieter Wallnöfer
6c349d479f s4:drepl_out_helpers.c - fix a counter type 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:41 +10:00
Anatoliy Atanasov
67b6252eed s4/dsdb:kcc: cleanup and improve readability 2010-09-23 08:41:05 -07:00
Stefan Metzmacher
519180c341 s4:dsdb/kcc: we don't need to manually allocate [out,ref] pointers anymore 
metze

Signed-off-by: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
 2010-09-23 08:41:05 -07:00
Andrew Tridgell
d2008fbbb9 s4-kcc: the kcc should not be setting the repsTo attribute 
repsTo is set by other DCs, when they ask to be notified about changes
in a partition
 2010-09-23 07:17:57 +00:00
Andrew Tridgell
d1cbd68bb1 s4-kcc: added service->am_rodc 
use a rodc flag on the service instead of calling samdb_rodc each time
 2010-09-23 07:17:57 +00:00
Andrew Tridgell
c166b44b47 s4-kcc: pass the service context into the kcc connection code 
this will be used for the RODC changes needed for the kcc
 2010-09-23 07:17:56 +00:00
Jelmer Vernooij
cc5b673e18 s4-selftest: Move samba3sam test to standard python directory. 2010-09-22 22:29:09 -07:00
Jelmer Vernooij
1716cdbef3 dsdb: Use short path for ldb_handlers.h, in case ldb is installed in the 
system.
 2010-09-22 17:48:24 -07:00
Nadezhda Ivanova
aa57fd8224 s4-ldap: Fixed a problem with NC's having a parentGUID attribute 
NC's other than default NC had a parentGUID, due to an incorrect check of whether
the object has a parent. Fixed by checking object's instanceType instead.
 2010-09-21 09:10:54 -07:00
Andrew Tridgell
7ffcf90bb9 s4-drepl: use the partition UDV and hwm for extended getncchanges ops 
we find the NC root then load the uptodateness vector and highwater
mark, if available, from there
 2010-09-20 21:51:08 -07:00
Andrew Tridgell
3fe8e97a72 s4-rodc: fixed repsFrom store on RODC 
We were disallowing repsFrom store as a RODC on the basis that it is a
write to the directory. It should be allowed, as its is a
non-replicated attribute.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-09-20 15:27:45 -07:00
Andrew Tridgell
59951163be s4-kcc: a bit more debug info on repsFrom creation 
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-09-20 15:27:45 -07:00
Kamen Mazdrashki
f06d98764a s4-dsdb-schema_prefixmap: return WERR_DS_NO_ATTRIBUTE_OR_VALUE when ATTID is not found 
rather than WERR_INTERNAL_ERROR - it is not internal error!
 2010-09-21 00:15:24 +03:00
Kamen Mazdrashki
395b09c1b6 s4-dsdb-schema_prefixmap: Print debug message when internal failure occurs 2010-09-21 00:15:24 +03:00
Anatoliy Atanasov
b4eba4268d s4/dcdiag: Handle ListRoles command for dcdiag:KnowsOfRoleHolders test 2010-09-20 09:46:10 -07:00
Anatoliy Atanasov
7250cb3e73 s4/fsmo: Create separate function for retrieving fsmo role dn and owner dn. 
This functionality is needed for DsCrackNames ListRoles command also.
 2010-09-20 09:44:19 -07:00
Anatoliy Atanasov
faeeb5c8e7 s4/drs: use type enum drsuapi_DsNameFormat in DsCrackNames code 2010-09-20 09:41:00 -07:00
Andrew Tridgell
34f47a33df s4-rootdse: mark registered controls as non-critical 
this is needed for clients that may include unnecessary controls in
requests and mark them as non-critical
 2010-09-19 19:20:48 -07:00
Anatoliy Atanasov
5d807107bb s4/fsmo: Naming master support added 
Test suite for fsmo is extended with a test case for naming master too.
 2010-09-19 12:16:04 -07:00
Andrew Tridgell
e72a1e2055 s4-pydsdb: added am_rodc() method on samdb 2010-09-19 11:29:32 -07:00
Kamen Mazdrashki
d76bb4ac40 s4-drs: Check for schema changes only in case we are *not* applying Schema replica 
This fixes the problem when we fail to replicate with
a partner DC that has a newer Schema with attributeSchema
objects with OIDs that we don't have in our local prefixMap.
 2010-09-18 15:09:47 +03:00
Kamen Mazdrashki
9256b5f226 s4-schema: Helper func to compare schemaInfo signitures 2010-09-17 13:53:03 +03:00
Kamen Mazdrashki
1295da92f9 s4-schema: use dsdb_schema_info_blob_is_valid() to verify schemaInfo blob 
instead of parsing it.
 2010-09-17 13:53:03 +03:00
Kamen Mazdrashki
aedefd3e99 s4-prefixMap: use dsdb_schema_info_blob_is_valid() for schemaInfo blob validation 
This fixes a leaking dsdb_schema_info object also.
 2010-09-17 13:53:03 +03:00
Kamen Mazdrashki
e691b1fd27 s4-dsdb: Add dsdb_schema_info_blob_is_valid() to verify schemaInfo blobls 2010-09-17 13:53:03 +03:00
Andrew Tridgell
e5cd023a41 s4-drs: initial skeleton for DrsReplica{Add,Del,Mod} calls 2010-09-16 16:08:46 +10:00
Andrew Tridgell
3b87e3e951 s4-repl: if we are an RODC don't set WRIT_REP in replication 
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-09-16 07:24:01 +10:00
Andrew Tridgell
05ec123b3b s4-repl: add partial attribute set to getncchanges calls for RODCs 
when we are a RODC we must supply a partial attribute set in the
getncchanges call

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-09-16 07:24:01 +10:00
Andrew Tridgell
520252c8d2 s4-repl: added min_usn to extended replication call 
the repl_secret code needs to set it to avoid too many duplicate
attributes

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-09-16 07:24:01 +10:00
Andrew Tridgell
1da147e6fa s4-repl: added repl_secret handling 
initiate a repl secret extended op when requested

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-09-16 07:24:01 +10:00
Andrew Tridgell
d5673b5501 s4-repl: cleanup the extended op calls in repl server 
- use generic parameter names
- trigger a run of pending ops on all extended ops
- don't prevent parallel fsmo transfers
- moved extended op code into drepl_extended
 2010-09-16 07:24:01 +10:00
Andrew Tridgell
e18c0030e0 s4-pyjoin: fill in the dns name in the python replication method 
this is needed to get the repsFrom DNS entry right

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-09-16 07:24:01 +10:00
Andrew Tridgell
f89f3cf30f s4-repl: split out the extended op handling 
this is not part of the rid allocation logic

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-09-16 07:24:00 +10:00
Andrew Tridgell
54b5370474 s4-repl: cleanup getncchanges extended op calls 
Multiple calls are allowed to run in parallel as long as they don't
conflict.

This also cleans up the variable names in the extended op calls.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-09-16 07:24:00 +10:00
Anatoliy Atanasov
2eeba94c9c s4/fsmo: Handle infrastructure, pdc and rid extended ops 
With this change we can transfer all roles back and forward, except
for the naming master. Also this commit fixes the naming of
fsmo_role_dn - used to point to the DN from which we read fSMORoleOwner
role_owner_dn - used to point to the NTDSDSA who owns the role
Now we always pass fsmo_role_dn, role_owner_dn to the extended operation
and to drepl_create_role_owner_source_dsa

Conflicts:

	source4/dsdb/repl/drepl_ridalloc.c
 2010-09-15 14:00:28 +03:00
Andrew Tridgell
6c45eeb944 s4-repl: use consistent API calls for getting DN GUID 
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-09-15 15:39:36 +10:00
Andrew Tridgell
ce2004d631 s4: fixed some printf format errors 2010-09-15 15:39:35 +10:00
Andrew Tridgell
13a8745cae s4-rodc: add a trigger message for REPL_SECRET to auth_sam 
when an RODC tries to authenticate against an account and the account
has no password information it needs to send a message to the drepl
server to tell it to try and replicate the secret information from
a writeable DC

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-09-15 15:39:34 +10:00
Andrew Tridgell
b9393e4896 s4-kcc: removed redundent loop check 
el has already been checked for NULL
 2010-09-15 15:39:34 +10:00
Andrew Tridgell
a17da70785 s4-dsdb: check for invalid backend type 2010-09-15 15:39:34 +10:00
Andrew Tridgell
3e88f3cf33 s4-rootdse: setup length after NULL check 2010-09-15 15:39:34 +10:00
Andrew Tridgell
d00cb8b3d3 s4-dsdb: fixed use after free for RODC 2010-09-15 15:39:33 +10:00
Andrew Tridgell
597372df34 s4-dsdb: free right context on failure 
down_req is not initialised yet
 2010-09-15 15:39:33 +10:00
Andrew Tridgell
cbd8297b4d s4-dsdb: defer ac->msg after check for NULL ac 2010-09-15 15:39:33 +10:00
Andrew Tridgell
5a4a11cb98 s4-anr: check for allocation failure before use 2010-09-15 15:39:33 +10:00
Jelmer Vernooij
8209198998 waf: work around circular dependency finder erroneously removing dependency of gensec on dcerpc. 2010-09-14 17:24:05 +02:00
Matthias Dieter Wallnöfer
6e720ecd25 s4:SID handling - always encode the SID using "ldap_encode_ndr_dom_sid" for LDAP filters 
This makes also lookups through special backends as "samba3sam" work.
 2010-09-13 22:41:06 +02:00
Matthias Dieter Wallnöfer
a4b7fac86d s4:cosmetic - the SID attribute is called objectSid - not objectSID 2010-09-13 22:39:50 +02:00
Matthias Dieter Wallnöfer
fe958c009b Revert "s4:samldb LDB module - simplify the message handling on add and modify operations" 
This reverts commit 1d94bb3ad4.

This commit causes unconditional behaviour (sometimes it works, sometimes not) -sorry for introducing this.

I will rework this further.
 2010-09-13 10:39:39 +02:00
Matthias Dieter Wallnöfer
123712840f s4:samldb LDB module - remove a disastrous "talloc_free" 
This completely destroys the program logic (async callbacks). Sorry for
introducing this.
 2010-09-12 22:26:10 +02:00
Matthias Dieter Wallnöfer
0939ba4488 Revert "s4:util_samr.c - also here we've now the default primaryGroupID detection working" 
This reverts commit 7e9e35db41.

Sorry, the logic is working differently here. We do still need this.
 2010-09-12 22:25:37 +02:00
Matthias Dieter Wallnöfer
7e9e35db41 s4:util_samr.c - also here we've now the default primaryGroupID detection working 2010-09-12 21:19:27 +02:00
Matthias Dieter Wallnöfer
4a2941535d s4:ldap.py - tests the primary group detection by the "userAccountControl" 2010-09-12 19:23:06 +02:00
Matthias Dieter Wallnöfer
7f424155e6 s4:samldb LDB module - "samldb_check_primaryGroupID" - support RID derivation from "userAccountControl" 
Specified in MS-SAMR 3.1.1.8.1 and probably fixes also bug #7441.
 2010-09-12 19:23:06 +02:00
Matthias Dieter Wallnöfer
22d42432ac s4:samldb LDB module - free the "ac" context after the delete checks 2010-09-12 19:23:05 +02:00
Matthias Dieter Wallnöfer
1d94bb3ad4 s4:samldb LDB module - simplify the message handling on add and modify operations 
We perform always only one shallow copy operation of the message on the "req"
context. This allows to free the "ac" context when we've prepared all our
changes.
 2010-09-12 19:23:05 +02:00
Matthias Dieter Wallnöfer
79f22e5d70 s4:samldb LDB module - move "samldb_prim_group_users_check" more down to see that it is only in use by the delete operation 
add and modify helpers will stay on the top of the add and modify operation
since they will likely be shared as much as possible.
 2010-09-12 19:23:05 +02:00
Matthias Dieter Wallnöfer
bb1da645ed s4:samldb LDB module - add a comment to mark the beginning of the extended operation handler 2010-09-12 19:23:05 +02:00
Matthias Dieter Wallnöfer
dad7cdad22 s4:samldb LDB module - refactor "samldb_find_for_defaultObjectCategory" to be again synchronous 
Also to make it easier to comprehend
 2010-09-12 19:23:05 +02:00
Matthias Dieter Wallnöfer
6aca09b0b7 s4:samldb LDB module - refactor the "primaryGroupID" check on user creation 
This looks more straight-forward now.
 2010-09-12 19:23:05 +02:00
Matthias Dieter Wallnöfer
e1de425cb8 s4:samldb LDB module - get rid of the SID context variable 
Since we get more and more rid of async stuff we don't need this in the context
anymore.
 2010-09-12 19:23:05 +02:00
Matthias Dieter Wallnöfer
79a98b893a s4:samldb LDB module - use also here the real attribute denomination "sAMAccountName" 
Purely cosmetic - but nicer to read
 2010-09-12 19:23:05 +02:00
Matthias Dieter Wallnöfer
0eb281d8f2 s4:samldb LDB module - rename "check_SamAccountType" into "check_sAMAccountType" 
And a small cosmetic change.
I like to have the real attribute names in the function denominations
 2010-09-12 19:23:04 +02:00
Matthias Dieter Wallnöfer
4ef9760db1 s4:samldb LDB module - make "samldb_check_sAMAccountName" synchronous again 
To make it more understandable
 2010-09-12 19:23:04 +02:00
Matthias Dieter Wallnöfer
c0a863b6f3 s4:ldb_register_samba_handlers - fix up and convert result codes to LDB/LDAP results 2010-09-11 17:41:38 +02:00
Andrew Bartlett
a02a2c3557 libcli/security Use talloc_zero when making a struct security_token 2010-09-11 18:46:14 +10:00
Andrew Bartlett
0eea8ecfe2 s4-privs Seperate rights and privileges 
These are related, but slightly different concepts.  The biggest difference
is that rights are not enumerated as a system-wide list.

This moves the rights to security.idl due to dependencies.

Andrew Bartlett
 2010-09-11 18:46:13 +10:00
Andrew Bartlett
6d78e11e17 libcli/security make sec_privilege_id() return SEC_PRIV_INVALID on failure. 
Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
 2010-09-11 18:46:10 +10:00
Anatoliy Atanasov
788bfc8a25 s4/fsmo: Change return type from NTSTATUS to WERROR for drepl_takeFSMOrole 
This removed an unnecessary conversion of the return type in
drepl_take_FSMO_role.
 2010-09-10 13:44:20 +03:00
Anatoliy Atanasov
0ad22777ec s4/fsmo: Fix callback declaration 2010-09-10 13:29:38 +03:00
Kamen Mazdrashki
d08439d42b s4-dreplsrv: fix 'dn' for partition object being created 2010-09-10 13:08:23 +03:00
Kamen Mazdrashki
750300aedf s4-drs-fsmo: try to dispatch ops in queue as soon as possible 
In most cases this will transfer of schema master role to
look like a synchronous operation.
 2010-09-10 13:08:22 +03:00
Andrew Tridgell
c34cae81fe s4-fsmo: update FSMO changes for recent IRPC work 
the IRPC API has changed

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-09-10 13:08:20 +03:00
Anatoliy Atanasov
ab01ce6e96 s4/drs: update repsFrom only when we are not in getncchanges extended op 2010-09-10 13:08:20 +03:00
Nadezhda Ivanova
36e663ad71 s4-ldap: Added support for FSMO role transfer via LDAP by modify on rootDSE 
GetNCChanges with the corresponding extended operation is initiated and added to
the queue when a modify request is received on becomeSchemaMaster, becomeRidMaster,
becomeNamingMaster, becomeInfrastructureMaster and becomePDC attributes in
rootDSE.
 2010-09-10 13:08:19 +03:00
Nadezhda Ivanova
0229ac455d s4-irpc: Added internal rpc call DREPL_TAKEFSMOROLE 
It schedules a getncchanges with extended op 6, to be used when a modify request on
becomeROLEMaster atteibute on rootDSE is received.
 2010-09-10 13:08:18 +03:00
Nadezhda Ivanova
657b7039c3 s4-drs: Implementation of GetNCChanges extended op 6 - fsmo role transfer 
Basically the candidate owner makes a getncchanges call with extended op 6 when they want to
become the new owner. The current owner then updates the corresponding fSMORoleOwner attribute
in its database with the new owner, and replicates the change to the candidate, who then becomes the
owner.
The patch was made in cooperation with Anatoliy Atanasov <anatoliy.atanasov@postpath.com> who
kindly helped to debug it.
 2010-09-10 13:08:17 +03:00
Nadezhda Ivanova
c8794d2625 s4-drs: Refactored drepl_service and send_ridalloc_request so that the structures can be used for other extended ops 2010-09-10 13:08:16 +03:00
Kamen Mazdrashki
4f5dd3f93b s4-dreplsrv: Do allocations on long-living context so that callback gets called 2010-09-09 18:26:51 +03:00
Kamen Mazdrashki
3593298c7e s4-dreplsrv: Call dreplsrv_out_operation::callback in case we fail to even run the operation 
Operation was scheduled already, so we need to call
the callback function for it to be able to do its job.

For instance, if we are blocking an rpc call until an
operation is completed and there is no memory, then
client will be blocked without knowing what is going on
with the server.
 2010-09-09 18:26:51 +03:00
Kamen Mazdrashki
7ee34182df s4-dsdb/repl/drepl_out_pull.c: Remove unused code 2010-09-09 18:26:50 +03:00
Kamen Mazdrashki
ef56945d0e s4-drepl_service.c: Update (C) 
and remove few trailing white spaces
 2010-09-09 18:26:50 +03:00
Kamen Mazdrashki
3fa3bc7eba s4-drepsrv: Dump more info when drepl_replica_sync() fails 
There are many spots where this function may fail
and I find it very useful to know where exactly function
fails and what are the input parameters during testing.

REPLICA_SYNC_FAIL() macro now dumps an error message
so we may remove extra DEBUG() dump in implementation.
 2010-09-09 18:26:50 +03:00
Andrew Bartlett
b2ea0ca3d6 s4-dsdb Change debug levels for startup messages 
We should make the 'common' error not show up, but the unusal case fatal.

Andrew Bartlett
 2010-09-09 21:39:25 +10:00
Andrew Tridgell
54e86d881d s4-pydsdb: expose samdb_partitions_dn() as get_partitions_dn() in python 
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-09-09 21:39:24 +10:00
Kamen Mazdrashki
e64e398568 s4-dreplsrv: Run NC replication synchronously if requested 2010-09-07 17:09:35 +03:00
Kamen Mazdrashki
dea5c7b948 s4-idl: redefine dreplsrv_refresh() to be alike other RPC function definitions 
Sorry for the 'custom' definition first time
 2010-09-05 23:34:28 +03:00
Matthieu Patou
42dfa71ef5 dsdb: make the ATTRIBUTE NOT FOUND more clear 2010-09-05 12:29:20 +04:00
Jelmer Vernooij
72f3727464 dsdb: Add missing dependencies for dsdb ldb modules. 2010-09-04 15:00:33 +02:00
Stefan Metzmacher
ff0362fc35 s4:dsdb/kcc: use irpc_binding_handle_by_name() 
metze
 2010-09-03 17:00:19 +02:00
Kamen Mazdrashki
65b21c0562 s4-dreplsrv: Refactor drepl_replica_sync() to behave as described in MS-DRSR 
see: MS-DRSR - 4.1.23.2

Note: Synchronious replication not implemented yet.
 2010-09-03 13:23:48 +03:00
Kamen Mazdrashki
715743b38d s4-dreplsrv: Helpers to locate source DSA in a partition by GUID or DNS name 2010-09-03 13:23:48 +03:00
Kamen Mazdrashki
3691e6c97b s4-dreplsrv: Helper to find NC by DN or GUID or SID 2010-09-03 13:23:48 +03:00
Kamen Mazdrashki
5685fb64e4 s4-dreplsrv: Add caller-specific data parameter for dreplsrv_fsmo_callback_t 
It is to be used when we need to preserve a state
to be used in tha callback when dreplsrv_out_operation is completed
 2010-09-03 13:23:47 +03:00
Andrew Bartlett
768475d571 s4:dsdb Fix attribute being searched for in dereference against Fedora DS 
The problem here is that these attributes are not mapped in the
simple_ldap_map, and they were changed a while back.

Andrew Bartlett
 2010-09-02 10:40:34 +10:00
Andrew Bartlett
68c61dfa3f s4:dsdb Make the dereference control critical if input is critical 
This helps us ensure that the backend knows about and respects the
dereference control if our caller has asked that the extended DN control
be considered critical.

Andrew Bartlett
 2010-09-02 10:40:34 +10:00
Andrew Bartlett
379d073444 s4:dsdb Don't reload the schema against OpenLDAP backend 
The schema should be considered read-only when we are using the OL
backend, as we can't update the backend schema in real time anyway.

Andrew Bartlett
 2010-09-02 10:40:34 +10:00
Kamen Mazdrashki
b5ed9c2c4d s4-kcc: Notify dreplsrv that Topology has changed 2010-08-28 23:38:59 +03:00
Kamen Mazdrashki
b954834ad1 s4-dreplsrv: Implement irpc stub to be used to force dreplsrv to update internal cache 
This IRPC calls is to be used whenever repsFrom/repsTo are
changed by administrative tool or KCC (i.e. Topology changes).

At present, only KCC may change topology.
 2010-08-28 23:38:59 +03:00
Kamen Mazdrashki
53551a76c5 s4-dreplsrv: Move partition cache update before scheduling another set of replications 2010-08-28 23:38:59 +03:00
Kamen Mazdrashki
a052497c74 s4-kcc: Assert when unexpected repsFromToBlob version is passed 
At present we only support v1 structures (Win2k3 and earlier),
so it is good to make it obvious.
In case we start supporting v2 we will be able to notice this
function should be refactored right away
 2010-08-28 23:38:58 +03:00
Nadezhda Ivanova
c679290f6e s4-dsdb: Fixed a compiler warning. 2010-08-27 12:34:27 +03:00
Matthias Dieter Wallnöfer
b11b2425a9 s4:dsdb_module_find_dsheuristics - free the "DN" also on other exit cases 2010-08-26 21:06:06 +02:00
Nadezhda Ivanova
ff2037876f s4-dsdb: Removed an unnecessary space in dsdb_module_find_dsheuristics() 2010-08-26 17:37:49 +03:00
Nadezhda Ivanova
a571487e6c s4-dsdb: Added utility functions for retrieving dSHeuristics from the module stack 
Also a function to check dsHeuristics value to determine of anonymous access should be blocked
 2010-08-26 17:18:40 +03:00
Andrew Tridgell
cb0f8f0ee0 s4-repl: load RODC partitions using msDS-hasFullReplicaNCs 
we mark these as incoming_only

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-08-25 23:05:05 +10:00
Andrew Tridgell
f42af4ea68 s4-dsdb: make more of the UF_* flags available on pydsdb 
this really should be moved to IDL
 2010-08-25 08:40:05 +10:00
Andrew Tridgell
4ab1a489c7 s4-dsdb: add more DS flags to the dsdb module 
These are from libds/common/flags.h

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-08-25 08:40:04 +10:00
Andrew Tridgell
8438da96ba s4-dsdb: added get_attid_from_lDAPDisplayName() on samdb 
This can be used to form the partial_attribute_set list for
GetNCChanges

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-08-25 08:40:04 +10:00
Andrew Bartlett
6cf29b3e4f s4:security Change struct security_token->sids from struct dom_sid * to struct dom_sid 
This makes the structure much more like NT_USER_TOKEN in the source3/
code.  (The remaining changes are that privilages still need to be merged)

Andrew Bartlett
 2010-08-23 08:50:55 +10:00
Andrew Tridgell
0cc3525c03 s4-dsdb: the RODC_JOIN control also changes samAccountName 
when adding a user with the RODC_JOIN control, the samAccountName is
automatically set to the krbtgt_NNNNN form

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-08-20 20:34:12 +10:00
Andrew Tridgell
6eb34e6907 s4-dsdb: fixed dsdb_get_extended_dn_sid() 
it should honor the component_name

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-08-20 20:34:11 +10:00
Andrew Tridgell
c122939919 s4-drs: implement RODC attribute filtering override 
When a RODC uses extended getncchanges operation
DRSUAPI_EXOP_REPL_SECRET it gets an override on the ability to
replicate the secret attributes.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-08-20 20:34:11 +10:00
Kamen Mazdrashki
89899f55dc s4-drs: ATTIDs for deleted attributes should be based on msDs-IntId value if it exists 2010-08-19 03:34:05 +03:00
Kamen Mazdrashki
695072478d s4-dsdb: No need for dsdb_syntax_one_DN_drsuapi_to_ldb() to be public 
It is intended to be used in schema_syntax.c module
 2010-08-19 03:34:04 +03:00
Kamen Mazdrashki
35d886db17 s4-dsdb-syntax: ATTID should be msDs-IntId value for the attributeSchema object 
in case object replicated is not in Schema NC and attributeSchema
object has msDs-IntId attribute value set
 2010-08-19 03:34:03 +03:00
Kamen Mazdrashki
fffc98f33e s4: fix few comment typos 2010-08-19 03:34:02 +03:00
Kamen Mazdrashki
d01804dda9 s4-schema_syntax.c: Fix white spaces and alignment 2010-08-19 03:34:02 +03:00
Kamen Mazdrashki
c5ec1f3d92 s4-dsdb: Use dsdb_syntax_ctx in *_drsuapi_to_ldb functions 2010-08-19 03:34:02 +03:00
Kamen Mazdrashki
b5af7b9a1e s4-dsdb: Use dsdb_syntax_ctx in *_ldb_to_drsuapi functions 2010-08-19 03:34:01 +03:00
Kamen Mazdrashki
ca80918613 s4-dsdb: Use dsdb_syntax_ctx in *_validate_ldb functions 2010-08-19 03:34:01 +03:00
Kamen Mazdrashki
b7d1586ccd s4-dsdb: Add context structure for dsdb_syntax conversion functions 
This structure is intended to hold context-dependent data.

Syntax-conversion and object-conversion functions need
that data to convert objects and attributes from drs-to-ldb
and ldb-to-drs correctly.

For instance: ATTID value depends on whether we are converting
object from partition different that Schema partition.
 2010-08-19 03:34:01 +03:00
Andrew Bartlett
23dc2e4244 s4:auth Change {anonymous,system}_session to use common session_info generation 
This also changes the primary group for anonymous to be the anonymous
SID, and adds code to detect and ignore this when constructing the token.

Andrew Bartlett
 2010-08-18 09:50:45 +10:00
Andrew Bartlett
ba52834dd9 s4:auth Remove system_session_anon() from python bindings 2010-08-18 09:50:44 +10:00
Andrew Bartlett
7c6ca95bec s4:security Remove use of user_sid and group_sid from struct security_token 
This makes the structure more like Samba3's NT_USER_TOKEN
 2010-08-18 09:50:38 +10:00
Matthias Dieter Wallnöfer
eb345ebedf s4:samdb_set_password/samdb_set_password_sid - make more arguments "const" 2010-08-17 18:45:33 +02:00
Matthias Dieter Wallnöfer
d72d7f9c5f s4:samdb_set_password/samdb_set_password_sid - make the adaptions to support the password change control 
And introduce parameters to pass the old password hashes.
 2010-08-17 18:45:33 +02:00
Matthias Dieter Wallnöfer
35954bb310 s4:password_hash LDB module - perform the adaptions to understand the new password change control 2010-08-17 18:45:33 +02:00
Matthias Dieter Wallnöfer
23bd3a7417 s4:acl LDB module - support password changes over the DSDB_CONTROL_PASSWORD_CHANGE_OID control 
This control is used from the SAMR and "kpasswd" password changes. It is
strictly private and means "this is a password change and not a password set".
 2010-08-17 18:45:33 +02:00
Matthias Dieter Wallnöfer
895a9fbbfb s4:DSDB - DSDB_CONTROL_PASSWORD_CHANGE_OID - add a structure as value to the control 
This contains the NT and/or LM hash of the password specified by the user.
 2010-08-17 18:45:32 +02:00
Matthias Dieter Wallnöfer
bbb9dc806e s4:DSDB - rename the "DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID" 
Rename it to "DSDB_CONTROL_PASSWORD_CHANGE_OID". This control will afterwards
contain a record with the specified old password as NT and/or LM hash.
 2010-08-17 18:45:32 +02:00
Nadezhda Ivanova
38e41728c5 s4-tests: Added tests for acl checks on search requests 2010-08-17 17:05:42 +03:00
Andrew Tridgell
896f10301c s4-dsdb: check the type of session_info from the opaque 
we saw a crash with a bad pointer here, and this may help track it
down

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-08-17 21:21:51 +10:00
Andrew Tridgell
4e9daa0f03 s4-dsdb: added support for UF_PARTIAL_SECRETS_ACCOUNT 
when this is in user_account_control the account is a RODC, and we
need to set the primaryGroupID to be DOMAIN_RID_READONLY_DCS

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-08-17 21:21:50 +10:00
Andrew Tridgell
df14f645b3 s4-dsdb: cope with cracknames of form dnsdomain\account 
this is used by w2k8r2 when doing a RODC dcpromo

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-08-17 21:21:50 +10:00
Andrew Tridgell
f6e0b151a3 s4-dsdb: set LDB_FLAG_INTERNAL_DISABLE_VALIDATION for msDS-SecondaryKrbTgtNumber 
msDS-SecondaryKrbTgtNumber is setup with a value that is outside the
range allowed by the schema (the schema has
rangeLower==rangeUpper==65536). We need to mark this element as being
internally generated to avoid the range checks

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-08-17 21:21:50 +10:00
Andrew Tridgell
0caf347098 s4-ldb: added LDB_FLAG_INTERNAL_DISABLE_VALIDATION 
When this flag is set on an element in an add/modify request then the
normal validate_ldb() call that checks the element against schema
constraints is disabled

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-08-17 21:21:50 +10:00
Andrew Tridgell
6baa834ebe s4-ldb: use LDB_FLAG_MOD_TYPE() to extract element type from messages 
The flags field of message elements is part of a set of flags. We had
LDB_FLAG_MOD_MASK for extracting the type, but it was only rarely
being used (only 1 call used it correctly). This adds
LDB_FLAG_MOD_MASK() to make it more obvious what is going on.

This will allow us to use some of the other flags bits for internal
markers on elements

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-08-17 21:21:50 +10:00
Andrew Tridgell
527042f78b s4-dsdb: support LDB_CONTROL_RODC_DCPROMO_OID for nTDSDSA add 
this control disables the system only check for nTDSDSA add operations

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-08-17 21:21:50 +10:00
Andrew Tridgell
974279b67d s4-dsdb: fixed test for LDB_CONTROL_RODC_DCPROMO_OID 
the ldb_msg_add_fmt() call returns LDB_SUCCESS on success
 2010-08-17 21:21:50 +10:00
Andrew Tridgell
191d632e23 s4-dsdb: added support for LDB_CONTROL_RODC_DCPROMO_OID 
this control adds a unique msDS-SecondaryKrbTgtNumber attribute to a
user object.

There is some 'interesting' interaction with the rangeLower and
rangeUpper attributes and this add. We don't implementat
rangeLower/rangeUpper yet, but when we do we'll need an override for
this control (or be careful about module ordering).

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
 2010-08-17 21:21:49 +10:00
Matthias Dieter Wallnöfer
dadcc84009 s4:samdb_set_password_sid - fix comment 
Add more possible result NTSTATUS codes
 2010-08-16 18:45:26 +02:00
Matthias Dieter Wallnöfer
1fc3676974 s4:samdb_set_password - fix formatting 
(Sorry, I've overseen this)
 2010-08-15 19:45:29 +02:00
Matthias Dieter Wallnöfer
af3c6a4242 s4:passwords.py - proof the most important extended error codes 2010-08-15 19:42:40 +02:00
Matthias Dieter Wallnöfer
3fcd76237d s4:samdb_set_password - implement the extended LDAP error code detection 2010-08-15 19:42:40 +02:00
Matthias Dieter Wallnöfer
2dbff00b6d s4:password_hash LDB module - introduce the extended LDAP error codes on the important failure cases 2010-08-15 19:42:40 +02:00
Matthias Dieter Wallnöfer
33bb063b05 s4:password_hash LDB module - support this new password set syntax 2010-08-15 19:42:40 +02:00
Matthias Dieter Wallnöfer
6dc0c07a51 s4:passwords.py - another special password test 
This looks like a password change but it's rather a password set operation.
 2010-08-15 19:42:39 +02:00
Matthias Dieter Wallnöfer
28cfae774e s4:password_hash LDB module - allow to compare against both NT and LM hashes on password change operations 
This is to match the SAMR password change behaviour.
 2010-08-15 19:42:39 +02:00
Matthias Dieter Wallnöfer
fb274f056b s4:subtree_rename.c - relax the checks when requested 
(Needed by upgradeprovision for example)
 2010-08-15 09:24:22 +02:00
Matthias Dieter Wallnöfer
07af3f289e s4:samdb_set_password - return "NT_STATUS_WRONG_PASSWORD" when a user account doesn't exist 
This is for the (SAMR) account detection protection mechanism.
 2010-08-14 18:48:20 +02:00
Matthias Dieter Wallnöfer
1fa9e99442 s4:password_hash LDB module - improve an error message 2010-08-14 18:48:20 +02:00
Matthias Dieter Wallnöfer
4b569d74a4 s4:password_hash LDB module - implement the SAMR behaviour when checking old passwords 
Sooner or later this module should take over all password change actions.
 2010-08-14 18:48:20 +02:00
Matthias Dieter Wallnöfer
e335b24ad0 s4:password_hash LDB module - fix wrong error codes 
To match the passwords.py test
 2010-08-14 18:48:19 +02:00
Matthias Dieter Wallnöfer
a9b055291c s4:passwords.py - test the error code when there doesn't exist any password yet 
After the creation of a user object we don't have any password yet.
 2010-08-14 18:48:19 +02:00
Matthias Dieter Wallnöfer
c335c5f54a s4:passwords.py - perform testing of wrong old passwords on change operations 2010-08-14 18:48:19 +02:00
Kamen Mazdrashki
d595f070f6 s4-dsdb: fix attributes_by_msDS_IntId index sorting 2010-08-11 00:18:14 +03:00
Matthias Dieter Wallnöfer
067b5721c7 s4:objectclass LDB module - weak the check for the "rIDSet" delete constraint 
Perform it only when a "rIDSet" does exist. Requested by ekacnet for
"upgradeprovision".
 2010-08-10 21:01:11 +02:00
Matthias Dieter Wallnöfer
303089f5b8 s4:dsdb/common/util.c - provide a call which returns the forest function level 
Sooner or later we'll need this too since not all operations depend only on the
current's domain function level (see the MS-ADTS docs).
 2010-08-10 19:08:56 +02:00
Matthias Dieter Wallnöfer
e53fc1228f s4:dsdb/common/util.c - use LDB constants whenever possible 2010-08-10 19:08:56 +02:00
Matthias Dieter Wallnöfer
390bfed7b7 s4:kcc_connection.c - fix typo in error message 2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
bc702a394d s4:ldap.py - comment a test part which fails with another error code on Windows 2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
8243272fa0 s4:ldap.py - test the new "systemFlags" constraint 2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
f99d672b13 s4:objectclass LDB module - "add operation" - enhance and clean the "systemFlags" section 
Also here we have to test for single-valueness.
 2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
e009d02bd5 s4:ldap.py - test for an invalid "objectCategory" attribute 2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
6e6af9c14c s4:objectclass LDB module - "add operation" - implement "objectCategory" validation 2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
299b59b7c3 s4:ldap.py - proof for the impossibility to add a LSA-specific object over LDAP 2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
89c71a8f06 s4:urgent_replication.py - relax also here the add of a secrets object 2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
25e973d5db s4:dsdb/common/util.c - add a function "dsdb_add" 2010-08-07 14:22:41 +02:00
Matthias Dieter Wallnöfer
7d62128e2c s4:objectclass LDB module - "add operation" - reject creation of LSA specific objects 
(only using the RELAX flag allowed)
 2010-08-07 14:22:41 +02:00
Matthias Dieter Wallnöfer
a3c6d4c4d5 s4:objectclass LDB module - "add operation" - move two checks 
To be more consistent with the MS-ADTS doc.
 2010-08-07 14:22:41 +02:00
Matthias Dieter Wallnöfer
ace6f52d57 s4:objectclass LDB module - "add operation" - deny multiple "objectclass" message elements 
Requested by MS-ADTS 3.1.1.5.2.2
 2010-08-07 14:22:41 +02:00
Matthias Dieter Wallnöfer
9f0cbe1558 s4:objectclass LDB module - "add" operation - free "mem_ctx" as soon as possible 
We don't need to have it around until the end of the function.
 2010-08-07 14:22:41 +02:00
Matthias Dieter Wallnöfer
dbdef72953 s4:LDB modules - remove the "kludge_acl" module code 
Obviously this has been forgotten by Nadya.
 2010-08-04 19:47:41 +02:00
Nadezhda Ivanova
d50a9e8d9e s4-dsdb: Removed kludge_acl as it is no longer necessary 
Moved the access check on extended operations to acl module and removed kludge_acl
 2010-08-04 15:22:17 +03:00
Kamen Mazdrashki
f827904596 s4-schema: More verbose error log when subClassOf is not found in schema 
Error message show failing classSchema object
but not the specific value for the failure,
which makes diagnostics by log files really hard.
 2010-08-03 04:29:23 +03:00
Kamen Mazdrashki
a268e0846f s4: fix comment typos 2010-08-03 04:29:22 +03:00
Matthias Dieter Wallnöfer
e4b32cb0d4 s4:ldap.py - remove superflous spaces 
Sorry, forgot to delete them in the last commit
 2010-08-01 22:12:04 +02:00
Matthias Dieter Wallnöfer
e92f447823 s4:ldap.py - additional "instanceType" checks 2010-08-01 21:30:30 +02:00
Matthias Dieter Wallnöfer
c38219adfc s4:instancetype LDB module - add checks requested by MS-ADTS 3.1.1.5.2.2 
We've to test for the WRITE flag if we are performing an NC add. And if it
isn't an NC add then only the WRITE or no flag is allowed.
 2010-08-01 21:30:29 +02:00
Matthias Dieter Wallnöfer
ba4578f98b s4:objectclass LDB module - consider the "instanceType" when adding NCs 
This is requested by MS-ADTS 3.1.1.5.2.2 (NC add operation).
 2010-08-01 21:30:29 +02:00
Matthias Dieter Wallnöfer
89c7859006 s4:descriptor LDB module - remove the "forest DN" check 
Also here we have to work with the default base DN.

After some reading I've discovered that this isn't really true. The forest
partition does exist on one or more DCs and is there the same as the default
base DN (which is already checked by the module).
And if we have other DCs which contain child domains then they never contain
data of the forest domain beside the schema and the configuration partition
(which are checked anyway) since a DC can always contain only one domain!

Link: http://www.informit.com/articles/article.aspx?p=26896&seqNum=5
 2010-08-01 21:30:28 +02:00
Matthias Dieter Wallnöfer
f824e459f0 s4:acl LDB module - remove the "forest DN" check 
After some reading I've discovered that this isn't really true. The forest
partition does exist on one or more DCs and is there the same as the default
base DN (which is already checked by the module).
And if we have other DCs which contain child domains then they never contain
data of the forest domain beside the schema and the configuration partition
(which are checked anyway) since a DC can always contain only one domain!

Link: http://www.informit.com/articles/article.aspx?p=26896&seqNum=5
 2010-08-01 21:30:28 +02:00
Matthias Dieter Wallnöfer
149f4251c5 s4:acl LDB module - remove unused call "is_root_base_dn" 2010-08-01 21:30:27 +02:00
Matthias Dieter Wallnöfer
3f2a8d5081 s4:urgent_replication.py test - adapt the test for the harder delete restrictions 
Otherwise we are not able to delete the "test crossRef" object which points
to the default NC anymore.
 2010-08-01 18:50:57 +02:00
Matthias Dieter Wallnöfer
ea5c40428f s4:ldap.py - perform tests on the additional delete constraint checks 2010-08-01 18:50:57 +02:00
Matthias Dieter Wallnöfer
316eda1206 s4:objectclass LDB module - implement additional delete constraint checks 
MS-ADTS 3.1.1.5.5.3
 2010-08-01 18:50:57 +02:00
Matthias Dieter Wallnöfer
542396ccd9 s4:ldap.py - add a test for "CN=System" object rename behaviour 2010-08-01 14:00:10 +02:00
Matthias Dieter Wallnöfer
7ea1796fa4 s4:subtree_rename LDB module - rename "check_system_flags" into "check_constraints" and perform more checks 
Always considering MS-ADTS 3.1.1.5.4.1.2.
 2010-08-01 14:00:10 +02:00
Matthias Dieter Wallnöfer
2e66033ab9 s4:subtree_rename LDB module - introduce out of memory checks 2010-08-01 14:00:10 +02:00
Matthias Dieter Wallnöfer
f997fd299d s4:dsdb/samdb/ldb_modules/util.c - remove unused variables 2010-08-01 11:33:37 +02:00
Matthias Dieter Wallnöfer
81cc92c5af s4:ldap.py - performs some "systemFlags" testing 2010-08-01 09:36:01 +02:00
Matthias Dieter Wallnöfer
3cdc83d4f9 s4:subtree_rename LDB module - introduce the "systemFlags" protection rules 
This is done in a dedicated call "check_system_flags".
 2010-08-01 09:35:54 +02:00
Matthias Dieter Wallnöfer
3244f6feaa s4:dsdb/pydsdb.c - import "systemFlags" into Python 
Needed by ldap.py tests
 2010-07-31 21:43:11 +02:00
Matthias Dieter Wallnöfer
4e3afb36da s4:subtree_rename LDB module - "subren_ctx_init" - fix the "out of memory" return 2010-07-31 21:33:33 +02:00
Kamen Mazdrashki
86cc914717 s4-dsdb: use ldb_msg_normalize() in source4/dsdb/schema/schema_set.c 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-07-19 17:33:34 +10:00
Kamen Mazdrashki
fb1c0796c7 s4-dsdb/schema/schema_set.c: fix trailing spaces and comments spelling 
Few comments split on several lines also...

(Sorry Metze, I know you hate reviewing "and this, and that"
type of patches, but those are just cosmetics)

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-07-19 17:33:33 +10:00
Kamen Mazdrashki
a11d3b4dfb s4-dsdb: use ldb_msg_difference() in source4/dsdb/schema/schema_set.c 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-07-19 17:33:33 +10:00
Andrew Tridgell
6b266b85cf s4-loadparm: 2nd half of lp_ to lpcfg_ conversion 
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-07-16 18:24:27 +10:00
Matthieu Patou
a748402f61 s4 ldb modules: relax some tests about attributes that should not be here 
For attributes that we know that are harmless and that used to be stored
in the ldb we relax the tests on the existance in a given objectclass.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-07-15 22:08:21 +10:00
Matthieu Patou
6a0856da9c s4 dsdb: Use the changereplmetadata control 
This control allow to specify the replPropertyMetaData attribute to
be specified on modify request. It can be used for very specific needs
to tweak the content of the replication data.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-07-15 22:08:20 +10:00
Matthieu Patou
d861ebbd81 s4 dsdb: create a new control: changereplmetadata 
This control is designed to allow replmetadata to be specified

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-07-15 22:08:20 +10:00
Nadezhda Ivanova
d35e9008a7 s4: Added acl search tests for anonymous connection. 
The tests make sure that we comply with dsHeuristics setting and
restrict anonymous access to rootDSE. They will be enabled when the
implementation is pushed. tests are verified against win2k8.
 2010-07-14 14:44:46 +03:00
Nadezhda Ivanova
0b2d965e4b s4: Reorganized dsHeuristics reset so the code can be reused 
Moved the setting of dsHeuristics to a method as soon we will have to set other
values as well in different tests
 2010-07-13 17:15:54 +03:00
Stefan Metzmacher
1caa8b06f7 s4:drepl_notify: hide some bugs from the make test output 
It's useless to get messages like this every few seconds:

dreplsrv_notify: Failed to send DsReplicaSync to
edbf4745-2966-49a7-8653-99200f1c9430._msdcs.samba2003.example.com for
CN=Configuration,DC=samba2003,DC=example,DC=com -
NT_STATUS_OBJECT_NAME_NOT_FOUND : WERR_BADFILE

We have a non bug regarding non-linked DN attributes
and changes of the target DN.

metze
 2010-07-09 16:43:17 +02:00
Stefan Metzmacher
538bb9b3ec s4:dsdb/repl: expose drsuapi_DsExtendedError to the caller (e.g. the ridalloc client) 
metze
 2010-07-09 09:27:16 +02:00
Stefan Metzmacher
49deed5a77 s4:drepl_out_helpers: don't return NT_STATUS_OK, if an extended operation doesn't return success 
metze
 2010-07-09 09:27:16 +02:00
Stefan Metzmacher
658a0f9ef8 s4:drepl_ridalloc: only ask the rid master for a new rid pool if we need to. 
if we are at least half-exhausted then ask for a new pool.

This fixes a bug where we're sending unintialized alloc_pool
variable as exop->fsmo_info to the rid master and get back
DRSUAPI_EXOP_ERR_PARAM_ERROR.

metze
 2010-07-09 09:27:15 +02:00
Stefan Metzmacher
afba6204a3 s4:dsdb:ridalloc: use ridalloc_ridset_values infrastructure in ridalloc_allocate_rid_pool_fsmo() 
metze
 2010-07-09 09:27:15 +02:00
Stefan Metzmacher
cd8d8dfe14 s4:dsdb:ridalloc: use ridalloc_ridset_values infrastructure in ridalloc_allocate_rid() 
metze
 2010-07-09 09:27:14 +02:00
Stefan Metzmacher
3b8c9276dc s4:dsdb:ridalloc: use ridalloc_ridset_values infrastructure in ridalloc_create_rid_set_ntds() 
metze
 2010-07-09 09:27:14 +02:00
Stefan Metzmacher
12d26d59bd s4:dsdb:ridalloc: add ridalloc_ridset_values infrastructure 
metze
 2010-07-09 09:27:13 +02:00
Stefan Metzmacher
bbed1fdfcd s4:dsdb:ridalloc: use dsdb_module_constrainted_update_uint64() to update rIDAvailablePool 
metze
 2010-07-09 09:27:13 +02:00
Stefan Metzmacher
ad17333114 s4:dsdb:ridalloc.c: fix C++ warning 
metze
 2010-07-09 09:27:12 +02:00
Stefan Metzmacher
217177a4df s4:dsdb: add dsdb_module_constrainted_update_uint32/64() wrapper functions 
metze
 2010-07-09 09:27:12 +02:00
Stefan Metzmacher
65ca5a3542 s4:dsdb: add dsdb_msg_constrainted_update_uint32/64() wrapper functions 
metze
 2010-07-09 09:27:11 +02:00
Stefan Metzmacher
1d6f321a91 s4:dsdb: add dsdb_module_constrainted_update_int32/64() functions 
metze
 2010-07-09 09:27:11 +02:00
Stefan Metzmacher
388e955f28 s4:dsdb: add dsdb_msg_constrainted_update_int32/64() functions 
metze
 2010-07-09 09:27:11 +02:00
Matthias Dieter Wallnöfer
6b7e436871 s4:acl LDB module - password attributes - check also the "dBCSPwd" attribute 
It's also a possible password change/set attribute candidate.
 2010-07-08 21:52:15 +02:00
Matthias Dieter Wallnöfer
921308f1e8 s4:acl LDB module - move a "mem_ctx" creation to the place where it is actually checked 
Memory allocations and their result checks should be as tight as possible.
 2010-07-08 19:28:44 +02:00
Nadezhda Ivanova
10c60f2372 Added a test to prove by default users can change each other's pass if the old is known 2010-07-08 15:38:16 +03:00
Kamen Mazdrashki
609b865691 s4-dsdb/util: Reorder DSDB_FLAG_* checks 
On good thing about having more clear function interfaces
(and forcing callers to specify clearly what they want)
is that now I can execute following search:
git grep DSDB_FLAG_NEXT_MODULE | wc -l

This showed that DSDB_FLAG_NEXT_MODULE flag is about 6 times
more frequently used than DSDB_FLAG_OWN_MODULE.
So this should reduce branch prediction by six times
in this part of the code, right :)
 2010-07-08 02:38:36 +03:00
Kamen Mazdrashki
0c4bbb7106 s4-dsdb: Implement module switching in dsdb_module_search_dn() 
This allows caller to choose from where to start DN search
 2010-07-08 02:38:36 +03:00
Kamen Mazdrashki
62a0f11dcb s4-source4/dsdb/samdb/ldb_modules/acl.c Use DSDB_FLAG_NEXT_MODULE flag 2010-07-08 02:38:35 +03:00
Kamen Mazdrashki
02f0c6d1eb s4-source4/dsdb/samdb/ldb_modules/linked_attributes.c Use DSDB_FLAG_NEXT_MODULE flag 2010-07-08 02:38:35 +03:00
Kamen Mazdrashki
0d2116a423 s4-source4/dsdb/samdb/ldb_modules/naming_fsmo.c Use DSDB_FLAG_NEXT_MODULE flag 2010-07-08 02:38:35 +03:00
Kamen Mazdrashki
b18ab82604 s4-source4/dsdb/samdb/ldb_modules/operational.c Use DSDB_FLAG_NEXT_MODULE flag 2010-07-08 02:38:34 +03:00
Kamen Mazdrashki
7694b1964f s4-source4/dsdb/samdb/ldb_modules/partition_init.c Use DSDB_FLAG_NEXT_MODULE flag 2010-07-08 02:38:34 +03:00
Kamen Mazdrashki
b62715964a s4-source4/dsdb/samdb/ldb_modules/pdc_fsmo.c Use DSDB_FLAG_NEXT_MODULE flag 2010-07-08 02:38:33 +03:00
Kamen Mazdrashki
2ee14378c3 s4-source4/dsdb/samdb/ldb_modules/repl_meta_data.c Use DSDB_FLAG_NEXT_MODULE flag 2010-07-08 02:38:33 +03:00