Kamen Mazdrashki
7ee34182df
s4-dsdb/repl/drepl_out_pull.c: Remove unused code
2010-09-09 18:26:50 +03:00
Kamen Mazdrashki
ef56945d0e
s4-drepl_service.c: Update (C)
...
and remove few trailing white spaces
2010-09-09 18:26:50 +03:00
Kamen Mazdrashki
3fa3bc7eba
s4-drepsrv: Dump more info when drepl_replica_sync() fails
...
There are many spots where this function may fail
and I find it very useful to know where exactly function
fails and what are the input parameters during testing.
REPLICA_SYNC_FAIL() macro now dumps an error message
so we may remove extra DEBUG() dump in implementation.
2010-09-09 18:26:50 +03:00
Andrew Bartlett
b2ea0ca3d6
s4-dsdb Change debug levels for startup messages
...
We should make the 'common' error not show up, but the unusal case fatal.
Andrew Bartlett
2010-09-09 21:39:25 +10:00
Andrew Tridgell
54e86d881d
s4-pydsdb: expose samdb_partitions_dn() as get_partitions_dn() in python
...
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-09 21:39:24 +10:00
Kamen Mazdrashki
e64e398568
s4-dreplsrv: Run NC replication synchronously if requested
2010-09-07 17:09:35 +03:00
Kamen Mazdrashki
dea5c7b948
s4-idl: redefine dreplsrv_refresh() to be alike other RPC function definitions
...
Sorry for the 'custom' definition first time
2010-09-05 23:34:28 +03:00
Matthieu Patou
42dfa71ef5
dsdb: make the ATTRIBUTE NOT FOUND more clear
2010-09-05 12:29:20 +04:00
Jelmer Vernooij
72f3727464
dsdb: Add missing dependencies for dsdb ldb modules.
2010-09-04 15:00:33 +02:00
Stefan Metzmacher
ff0362fc35
s4:dsdb/kcc: use irpc_binding_handle_by_name()
...
metze
2010-09-03 17:00:19 +02:00
Kamen Mazdrashki
65b21c0562
s4-dreplsrv: Refactor drepl_replica_sync() to behave as described in MS-DRSR
...
see: MS-DRSR - 4.1.23.2
Note: Synchronious replication not implemented yet.
2010-09-03 13:23:48 +03:00
Kamen Mazdrashki
715743b38d
s4-dreplsrv: Helpers to locate source DSA in a partition by GUID or DNS name
2010-09-03 13:23:48 +03:00
Kamen Mazdrashki
3691e6c97b
s4-dreplsrv: Helper to find NC by DN or GUID or SID
2010-09-03 13:23:48 +03:00
Kamen Mazdrashki
5685fb64e4
s4-dreplsrv: Add caller-specific data parameter for dreplsrv_fsmo_callback_t
...
It is to be used when we need to preserve a state
to be used in tha callback when dreplsrv_out_operation is completed
2010-09-03 13:23:47 +03:00
Andrew Bartlett
768475d571
s4:dsdb Fix attribute being searched for in dereference against Fedora DS
...
The problem here is that these attributes are not mapped in the
simple_ldap_map, and they were changed a while back.
Andrew Bartlett
2010-09-02 10:40:34 +10:00
Andrew Bartlett
68c61dfa3f
s4:dsdb Make the dereference control critical if input is critical
...
This helps us ensure that the backend knows about and respects the
dereference control if our caller has asked that the extended DN control
be considered critical.
Andrew Bartlett
2010-09-02 10:40:34 +10:00
Andrew Bartlett
379d073444
s4:dsdb Don't reload the schema against OpenLDAP backend
...
The schema should be considered read-only when we are using the OL
backend, as we can't update the backend schema in real time anyway.
Andrew Bartlett
2010-09-02 10:40:34 +10:00
Kamen Mazdrashki
b5ed9c2c4d
s4-kcc: Notify dreplsrv that Topology has changed
2010-08-28 23:38:59 +03:00
Kamen Mazdrashki
b954834ad1
s4-dreplsrv: Implement irpc stub to be used to force dreplsrv to update internal cache
...
This IRPC calls is to be used whenever repsFrom/repsTo are
changed by administrative tool or KCC (i.e. Topology changes).
At present, only KCC may change topology.
2010-08-28 23:38:59 +03:00
Kamen Mazdrashki
53551a76c5
s4-dreplsrv: Move partition cache update before scheduling another set of replications
2010-08-28 23:38:59 +03:00
Kamen Mazdrashki
a052497c74
s4-kcc: Assert when unexpected repsFromToBlob version is passed
...
At present we only support v1 structures (Win2k3 and earlier),
so it is good to make it obvious.
In case we start supporting v2 we will be able to notice this
function should be refactored right away
2010-08-28 23:38:58 +03:00
Nadezhda Ivanova
c679290f6e
s4-dsdb: Fixed a compiler warning.
2010-08-27 12:34:27 +03:00
Matthias Dieter Wallnöfer
b11b2425a9
s4:dsdb_module_find_dsheuristics - free the "DN" also on other exit cases
2010-08-26 21:06:06 +02:00
Nadezhda Ivanova
ff2037876f
s4-dsdb: Removed an unnecessary space in dsdb_module_find_dsheuristics()
2010-08-26 17:37:49 +03:00
Nadezhda Ivanova
a571487e6c
s4-dsdb: Added utility functions for retrieving dSHeuristics from the module stack
...
Also a function to check dsHeuristics value to determine of anonymous access should be blocked
2010-08-26 17:18:40 +03:00
Andrew Tridgell
cb0f8f0ee0
s4-repl: load RODC partitions using msDS-hasFullReplicaNCs
...
we mark these as incoming_only
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-25 23:05:05 +10:00
Andrew Tridgell
f42af4ea68
s4-dsdb: make more of the UF_* flags available on pydsdb
...
this really should be moved to IDL
2010-08-25 08:40:05 +10:00
Andrew Tridgell
4ab1a489c7
s4-dsdb: add more DS flags to the dsdb module
...
These are from libds/common/flags.h
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-25 08:40:04 +10:00
Andrew Tridgell
8438da96ba
s4-dsdb: added get_attid_from_lDAPDisplayName() on samdb
...
This can be used to form the partial_attribute_set list for
GetNCChanges
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-25 08:40:04 +10:00
Andrew Bartlett
6cf29b3e4f
s4:security Change struct security_token->sids from struct dom_sid * to struct dom_sid
...
This makes the structure much more like NT_USER_TOKEN in the source3/
code. (The remaining changes are that privilages still need to be merged)
Andrew Bartlett
2010-08-23 08:50:55 +10:00
Andrew Tridgell
0cc3525c03
s4-dsdb: the RODC_JOIN control also changes samAccountName
...
when adding a user with the RODC_JOIN control, the samAccountName is
automatically set to the krbtgt_NNNNN form
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-20 20:34:12 +10:00
Andrew Tridgell
6eb34e6907
s4-dsdb: fixed dsdb_get_extended_dn_sid()
...
it should honor the component_name
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-20 20:34:11 +10:00
Andrew Tridgell
c122939919
s4-drs: implement RODC attribute filtering override
...
When a RODC uses extended getncchanges operation
DRSUAPI_EXOP_REPL_SECRET it gets an override on the ability to
replicate the secret attributes.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-20 20:34:11 +10:00
Kamen Mazdrashki
89899f55dc
s4-drs: ATTIDs for deleted attributes should be based on msDs-IntId value if it exists
2010-08-19 03:34:05 +03:00
Kamen Mazdrashki
695072478d
s4-dsdb: No need for dsdb_syntax_one_DN_drsuapi_to_ldb() to be public
...
It is intended to be used in schema_syntax.c module
2010-08-19 03:34:04 +03:00
Kamen Mazdrashki
35d886db17
s4-dsdb-syntax: ATTID should be msDs-IntId value for the attributeSchema object
...
in case object replicated is not in Schema NC and attributeSchema
object has msDs-IntId attribute value set
2010-08-19 03:34:03 +03:00
Kamen Mazdrashki
fffc98f33e
s4: fix few comment typos
2010-08-19 03:34:02 +03:00
Kamen Mazdrashki
d01804dda9
s4-schema_syntax.c: Fix white spaces and alignment
2010-08-19 03:34:02 +03:00
Kamen Mazdrashki
c5ec1f3d92
s4-dsdb: Use dsdb_syntax_ctx in *_drsuapi_to_ldb functions
2010-08-19 03:34:02 +03:00
Kamen Mazdrashki
b5af7b9a1e
s4-dsdb: Use dsdb_syntax_ctx in *_ldb_to_drsuapi functions
2010-08-19 03:34:01 +03:00
Kamen Mazdrashki
ca80918613
s4-dsdb: Use dsdb_syntax_ctx in *_validate_ldb functions
2010-08-19 03:34:01 +03:00
Kamen Mazdrashki
b7d1586ccd
s4-dsdb: Add context structure for dsdb_syntax conversion functions
...
This structure is intended to hold context-dependent data.
Syntax-conversion and object-conversion functions need
that data to convert objects and attributes from drs-to-ldb
and ldb-to-drs correctly.
For instance: ATTID value depends on whether we are converting
object from partition different that Schema partition.
2010-08-19 03:34:01 +03:00
Andrew Bartlett
23dc2e4244
s4:auth Change {anonymous,system}_session to use common session_info generation
...
This also changes the primary group for anonymous to be the anonymous
SID, and adds code to detect and ignore this when constructing the token.
Andrew Bartlett
2010-08-18 09:50:45 +10:00
Andrew Bartlett
ba52834dd9
s4:auth Remove system_session_anon() from python bindings
2010-08-18 09:50:44 +10:00
Andrew Bartlett
7c6ca95bec
s4:security Remove use of user_sid and group_sid from struct security_token
...
This makes the structure more like Samba3's NT_USER_TOKEN
2010-08-18 09:50:38 +10:00
Matthias Dieter Wallnöfer
eb345ebedf
s4:samdb_set_password/samdb_set_password_sid - make more arguments "const"
2010-08-17 18:45:33 +02:00
Matthias Dieter Wallnöfer
d72d7f9c5f
s4:samdb_set_password/samdb_set_password_sid - make the adaptions to support the password change control
...
And introduce parameters to pass the old password hashes.
2010-08-17 18:45:33 +02:00
Matthias Dieter Wallnöfer
35954bb310
s4:password_hash LDB module - perform the adaptions to understand the new password change control
2010-08-17 18:45:33 +02:00
Matthias Dieter Wallnöfer
23bd3a7417
s4:acl LDB module - support password changes over the DSDB_CONTROL_PASSWORD_CHANGE_OID control
...
This control is used from the SAMR and "kpasswd" password changes. It is
strictly private and means "this is a password change and not a password set".
2010-08-17 18:45:33 +02:00
Matthias Dieter Wallnöfer
895a9fbbfb
s4:DSDB - DSDB_CONTROL_PASSWORD_CHANGE_OID - add a structure as value to the control
...
This contains the NT and/or LM hash of the password specified by the user.
2010-08-17 18:45:32 +02:00
Matthias Dieter Wallnöfer
bbb9dc806e
s4:DSDB - rename the "DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID"
...
Rename it to "DSDB_CONTROL_PASSWORD_CHANGE_OID". This control will afterwards
contain a record with the specified old password as NT and/or LM hash.
2010-08-17 18:45:32 +02:00
Nadezhda Ivanova
38e41728c5
s4-tests: Added tests for acl checks on search requests
2010-08-17 17:05:42 +03:00
Andrew Tridgell
896f10301c
s4-dsdb: check the type of session_info from the opaque
...
we saw a crash with a bad pointer here, and this may help track it
down
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17 21:21:51 +10:00
Andrew Tridgell
4e9daa0f03
s4-dsdb: added support for UF_PARTIAL_SECRETS_ACCOUNT
...
when this is in user_account_control the account is a RODC, and we
need to set the primaryGroupID to be DOMAIN_RID_READONLY_DCS
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17 21:21:50 +10:00
Andrew Tridgell
df14f645b3
s4-dsdb: cope with cracknames of form dnsdomain\account
...
this is used by w2k8r2 when doing a RODC dcpromo
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17 21:21:50 +10:00
Andrew Tridgell
f6e0b151a3
s4-dsdb: set LDB_FLAG_INTERNAL_DISABLE_VALIDATION for msDS-SecondaryKrbTgtNumber
...
msDS-SecondaryKrbTgtNumber is setup with a value that is outside the
range allowed by the schema (the schema has
rangeLower==rangeUpper==65536). We need to mark this element as being
internally generated to avoid the range checks
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17 21:21:50 +10:00
Andrew Tridgell
0caf347098
s4-ldb: added LDB_FLAG_INTERNAL_DISABLE_VALIDATION
...
When this flag is set on an element in an add/modify request then the
normal validate_ldb() call that checks the element against schema
constraints is disabled
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17 21:21:50 +10:00
Andrew Tridgell
6baa834ebe
s4-ldb: use LDB_FLAG_MOD_TYPE() to extract element type from messages
...
The flags field of message elements is part of a set of flags. We had
LDB_FLAG_MOD_MASK for extracting the type, but it was only rarely
being used (only 1 call used it correctly). This adds
LDB_FLAG_MOD_MASK() to make it more obvious what is going on.
This will allow us to use some of the other flags bits for internal
markers on elements
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17 21:21:50 +10:00
Andrew Tridgell
527042f78b
s4-dsdb: support LDB_CONTROL_RODC_DCPROMO_OID for nTDSDSA add
...
this control disables the system only check for nTDSDSA add operations
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17 21:21:50 +10:00
Andrew Tridgell
974279b67d
s4-dsdb: fixed test for LDB_CONTROL_RODC_DCPROMO_OID
...
the ldb_msg_add_fmt() call returns LDB_SUCCESS on success
2010-08-17 21:21:50 +10:00
Andrew Tridgell
191d632e23
s4-dsdb: added support for LDB_CONTROL_RODC_DCPROMO_OID
...
this control adds a unique msDS-SecondaryKrbTgtNumber attribute to a
user object.
There is some 'interesting' interaction with the rangeLower and
rangeUpper attributes and this add. We don't implementat
rangeLower/rangeUpper yet, but when we do we'll need an override for
this control (or be careful about module ordering).
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17 21:21:49 +10:00
Matthias Dieter Wallnöfer
dadcc84009
s4:samdb_set_password_sid - fix comment
...
Add more possible result NTSTATUS codes
2010-08-16 18:45:26 +02:00
Matthias Dieter Wallnöfer
1fc3676974
s4:samdb_set_password - fix formatting
...
(Sorry, I've overseen this)
2010-08-15 19:45:29 +02:00
Matthias Dieter Wallnöfer
af3c6a4242
s4:passwords.py - proof the most important extended error codes
2010-08-15 19:42:40 +02:00
Matthias Dieter Wallnöfer
3fcd76237d
s4:samdb_set_password - implement the extended LDAP error code detection
2010-08-15 19:42:40 +02:00
Matthias Dieter Wallnöfer
2dbff00b6d
s4:password_hash LDB module - introduce the extended LDAP error codes on the important failure cases
2010-08-15 19:42:40 +02:00
Matthias Dieter Wallnöfer
33bb063b05
s4:password_hash LDB module - support this new password set syntax
2010-08-15 19:42:40 +02:00
Matthias Dieter Wallnöfer
6dc0c07a51
s4:passwords.py - another special password test
...
This looks like a password change but it's rather a password set operation.
2010-08-15 19:42:39 +02:00
Matthias Dieter Wallnöfer
28cfae774e
s4:password_hash LDB module - allow to compare against both NT and LM hashes on password change operations
...
This is to match the SAMR password change behaviour.
2010-08-15 19:42:39 +02:00
Matthias Dieter Wallnöfer
fb274f056b
s4:subtree_rename.c - relax the checks when requested
...
(Needed by upgradeprovision for example)
2010-08-15 09:24:22 +02:00
Matthias Dieter Wallnöfer
07af3f289e
s4:samdb_set_password - return "NT_STATUS_WRONG_PASSWORD" when a user account doesn't exist
...
This is for the (SAMR) account detection protection mechanism.
2010-08-14 18:48:20 +02:00
Matthias Dieter Wallnöfer
1fa9e99442
s4:password_hash LDB module - improve an error message
2010-08-14 18:48:20 +02:00
Matthias Dieter Wallnöfer
4b569d74a4
s4:password_hash LDB module - implement the SAMR behaviour when checking old passwords
...
Sooner or later this module should take over all password change actions.
2010-08-14 18:48:20 +02:00
Matthias Dieter Wallnöfer
e335b24ad0
s4:password_hash LDB module - fix wrong error codes
...
To match the passwords.py test
2010-08-14 18:48:19 +02:00
Matthias Dieter Wallnöfer
a9b055291c
s4:passwords.py - test the error code when there doesn't exist any password yet
...
After the creation of a user object we don't have any password yet.
2010-08-14 18:48:19 +02:00
Matthias Dieter Wallnöfer
c335c5f54a
s4:passwords.py - perform testing of wrong old passwords on change operations
2010-08-14 18:48:19 +02:00
Kamen Mazdrashki
d595f070f6
s4-dsdb: fix attributes_by_msDS_IntId index sorting
2010-08-11 00:18:14 +03:00
Matthias Dieter Wallnöfer
067b5721c7
s4:objectclass LDB module - weak the check for the "rIDSet" delete constraint
...
Perform it only when a "rIDSet" does exist. Requested by ekacnet for
"upgradeprovision".
2010-08-10 21:01:11 +02:00
Matthias Dieter Wallnöfer
303089f5b8
s4:dsdb/common/util.c - provide a call which returns the forest function level
...
Sooner or later we'll need this too since not all operations depend only on the
current's domain function level (see the MS-ADTS docs).
2010-08-10 19:08:56 +02:00
Matthias Dieter Wallnöfer
e53fc1228f
s4:dsdb/common/util.c - use LDB constants whenever possible
2010-08-10 19:08:56 +02:00
Matthias Dieter Wallnöfer
390bfed7b7
s4:kcc_connection.c - fix typo in error message
2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
bc702a394d
s4:ldap.py - comment a test part which fails with another error code on Windows
2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
8243272fa0
s4:ldap.py - test the new "systemFlags" constraint
2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
f99d672b13
s4:objectclass LDB module - "add operation" - enhance and clean the "systemFlags" section
...
Also here we have to test for single-valueness.
2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
e009d02bd5
s4:ldap.py - test for an invalid "objectCategory" attribute
2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
6e6af9c14c
s4:objectclass LDB module - "add operation" - implement "objectCategory" validation
2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
299b59b7c3
s4:ldap.py - proof for the impossibility to add a LSA-specific object over LDAP
2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
89c71a8f06
s4:urgent_replication.py - relax also here the add of a secrets object
2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
25e973d5db
s4:dsdb/common/util.c - add a function "dsdb_add"
2010-08-07 14:22:41 +02:00
Matthias Dieter Wallnöfer
7d62128e2c
s4:objectclass LDB module - "add operation" - reject creation of LSA specific objects
...
(only using the RELAX flag allowed)
2010-08-07 14:22:41 +02:00
Matthias Dieter Wallnöfer
a3c6d4c4d5
s4:objectclass LDB module - "add operation" - move two checks
...
To be more consistent with the MS-ADTS doc.
2010-08-07 14:22:41 +02:00
Matthias Dieter Wallnöfer
ace6f52d57
s4:objectclass LDB module - "add operation" - deny multiple "objectclass" message elements
...
Requested by MS-ADTS 3.1.1.5.2.2
2010-08-07 14:22:41 +02:00
Matthias Dieter Wallnöfer
9f0cbe1558
s4:objectclass LDB module - "add" operation - free "mem_ctx" as soon as possible
...
We don't need to have it around until the end of the function.
2010-08-07 14:22:41 +02:00
Matthias Dieter Wallnöfer
dbdef72953
s4:LDB modules - remove the "kludge_acl" module code
...
Obviously this has been forgotten by Nadya.
2010-08-04 19:47:41 +02:00
Nadezhda Ivanova
d50a9e8d9e
s4-dsdb: Removed kludge_acl as it is no longer necessary
...
Moved the access check on extended operations to acl module and removed kludge_acl
2010-08-04 15:22:17 +03:00
Kamen Mazdrashki
f827904596
s4-schema: More verbose error log when subClassOf is not found in schema
...
Error message show failing classSchema object
but not the specific value for the failure,
which makes diagnostics by log files really hard.
2010-08-03 04:29:23 +03:00
Kamen Mazdrashki
a268e0846f
s4: fix comment typos
2010-08-03 04:29:22 +03:00
Matthias Dieter Wallnöfer
e4b32cb0d4
s4:ldap.py - remove superflous spaces
...
Sorry, forgot to delete them in the last commit
2010-08-01 22:12:04 +02:00
Matthias Dieter Wallnöfer
e92f447823
s4:ldap.py - additional "instanceType" checks
2010-08-01 21:30:30 +02:00
Matthias Dieter Wallnöfer
c38219adfc
s4:instancetype LDB module - add checks requested by MS-ADTS 3.1.1.5.2.2
...
We've to test for the WRITE flag if we are performing an NC add. And if it
isn't an NC add then only the WRITE or no flag is allowed.
2010-08-01 21:30:29 +02:00
Matthias Dieter Wallnöfer
ba4578f98b
s4:objectclass LDB module - consider the "instanceType" when adding NCs
...
This is requested by MS-ADTS 3.1.1.5.2.2 (NC add operation).
2010-08-01 21:30:29 +02:00
Matthias Dieter Wallnöfer
89c7859006
s4:descriptor LDB module - remove the "forest DN" check
...
Also here we have to work with the default base DN.
After some reading I've discovered that this isn't really true. The forest
partition does exist on one or more DCs and is there the same as the default
base DN (which is already checked by the module).
And if we have other DCs which contain child domains then they never contain
data of the forest domain beside the schema and the configuration partition
(which are checked anyway) since a DC can always contain only one domain!
Link: http://www.informit.com/articles/article.aspx?p=26896&seqNum=5
2010-08-01 21:30:28 +02:00
Matthias Dieter Wallnöfer
f824e459f0
s4:acl LDB module - remove the "forest DN" check
...
After some reading I've discovered that this isn't really true. The forest
partition does exist on one or more DCs and is there the same as the default
base DN (which is already checked by the module).
And if we have other DCs which contain child domains then they never contain
data of the forest domain beside the schema and the configuration partition
(which are checked anyway) since a DC can always contain only one domain!
Link: http://www.informit.com/articles/article.aspx?p=26896&seqNum=5
2010-08-01 21:30:28 +02:00
Matthias Dieter Wallnöfer
149f4251c5
s4:acl LDB module - remove unused call "is_root_base_dn"
2010-08-01 21:30:27 +02:00
Matthias Dieter Wallnöfer
3f2a8d5081
s4:urgent_replication.py test - adapt the test for the harder delete restrictions
...
Otherwise we are not able to delete the "test crossRef" object which points
to the default NC anymore.
2010-08-01 18:50:57 +02:00
Matthias Dieter Wallnöfer
ea5c40428f
s4:ldap.py - perform tests on the additional delete constraint checks
2010-08-01 18:50:57 +02:00
Matthias Dieter Wallnöfer
316eda1206
s4:objectclass LDB module - implement additional delete constraint checks
...
MS-ADTS 3.1.1.5.5.3
2010-08-01 18:50:57 +02:00
Matthias Dieter Wallnöfer
542396ccd9
s4:ldap.py - add a test for "CN=System" object rename behaviour
2010-08-01 14:00:10 +02:00
Matthias Dieter Wallnöfer
7ea1796fa4
s4:subtree_rename LDB module - rename "check_system_flags" into "check_constraints" and perform more checks
...
Always considering MS-ADTS 3.1.1.5.4.1.2.
2010-08-01 14:00:10 +02:00
Matthias Dieter Wallnöfer
2e66033ab9
s4:subtree_rename LDB module - introduce out of memory checks
2010-08-01 14:00:10 +02:00
Matthias Dieter Wallnöfer
f997fd299d
s4:dsdb/samdb/ldb_modules/util.c - remove unused variables
2010-08-01 11:33:37 +02:00
Matthias Dieter Wallnöfer
81cc92c5af
s4:ldap.py - performs some "systemFlags" testing
2010-08-01 09:36:01 +02:00
Matthias Dieter Wallnöfer
3cdc83d4f9
s4:subtree_rename LDB module - introduce the "systemFlags" protection rules
...
This is done in a dedicated call "check_system_flags".
2010-08-01 09:35:54 +02:00
Matthias Dieter Wallnöfer
3244f6feaa
s4:dsdb/pydsdb.c - import "systemFlags" into Python
...
Needed by ldap.py tests
2010-07-31 21:43:11 +02:00
Matthias Dieter Wallnöfer
4e3afb36da
s4:subtree_rename LDB module - "subren_ctx_init" - fix the "out of memory" return
2010-07-31 21:33:33 +02:00
Kamen Mazdrashki
86cc914717
s4-dsdb: use ldb_msg_normalize() in source4/dsdb/schema/schema_set.c
...
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-19 17:33:34 +10:00
Kamen Mazdrashki
fb1c0796c7
s4-dsdb/schema/schema_set.c: fix trailing spaces and comments spelling
...
Few comments split on several lines also...
(Sorry Metze, I know you hate reviewing "and this, and that"
type of patches, but those are just cosmetics)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-19 17:33:33 +10:00
Kamen Mazdrashki
a11d3b4dfb
s4-dsdb: use ldb_msg_difference() in source4/dsdb/schema/schema_set.c
...
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-19 17:33:33 +10:00
Andrew Tridgell
6b266b85cf
s4-loadparm: 2nd half of lp_ to lpcfg_ conversion
...
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-16 18:24:27 +10:00
Matthieu Patou
a748402f61
s4 ldb modules: relax some tests about attributes that should not be here
...
For attributes that we know that are harmless and that used to be stored
in the ldb we relax the tests on the existance in a given objectclass.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-15 22:08:21 +10:00
Matthieu Patou
6a0856da9c
s4 dsdb: Use the changereplmetadata control
...
This control allow to specify the replPropertyMetaData attribute to
be specified on modify request. It can be used for very specific needs
to tweak the content of the replication data.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-15 22:08:20 +10:00
Matthieu Patou
d861ebbd81
s4 dsdb: create a new control: changereplmetadata
...
This control is designed to allow replmetadata to be specified
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-15 22:08:20 +10:00
Nadezhda Ivanova
d35e9008a7
s4: Added acl search tests for anonymous connection.
...
The tests make sure that we comply with dsHeuristics setting and
restrict anonymous access to rootDSE. They will be enabled when the
implementation is pushed. tests are verified against win2k8.
2010-07-14 14:44:46 +03:00
Nadezhda Ivanova
0b2d965e4b
s4: Reorganized dsHeuristics reset so the code can be reused
...
Moved the setting of dsHeuristics to a method as soon we will have to set other
values as well in different tests
2010-07-13 17:15:54 +03:00
Stefan Metzmacher
1caa8b06f7
s4:drepl_notify: hide some bugs from the make test output
...
It's useless to get messages like this every few seconds:
dreplsrv_notify: Failed to send DsReplicaSync to
edbf4745-2966-49a7-8653-99200f1c9430._msdcs.samba2003.example.com for
CN=Configuration,DC=samba2003,DC=example,DC=com -
NT_STATUS_OBJECT_NAME_NOT_FOUND : WERR_BADFILE
We have a non bug regarding non-linked DN attributes
and changes of the target DN.
metze
2010-07-09 16:43:17 +02:00
Stefan Metzmacher
538bb9b3ec
s4:dsdb/repl: expose drsuapi_DsExtendedError to the caller (e.g. the ridalloc client)
...
metze
2010-07-09 09:27:16 +02:00
Stefan Metzmacher
49deed5a77
s4:drepl_out_helpers: don't return NT_STATUS_OK, if an extended operation doesn't return success
...
metze
2010-07-09 09:27:16 +02:00
Stefan Metzmacher
658a0f9ef8
s4:drepl_ridalloc: only ask the rid master for a new rid pool if we need to.
...
if we are at least half-exhausted then ask for a new pool.
This fixes a bug where we're sending unintialized alloc_pool
variable as exop->fsmo_info to the rid master and get back
DRSUAPI_EXOP_ERR_PARAM_ERROR.
metze
2010-07-09 09:27:15 +02:00
Stefan Metzmacher
afba6204a3
s4:dsdb:ridalloc: use ridalloc_ridset_values infrastructure in ridalloc_allocate_rid_pool_fsmo()
...
metze
2010-07-09 09:27:15 +02:00
Stefan Metzmacher
cd8d8dfe14
s4:dsdb:ridalloc: use ridalloc_ridset_values infrastructure in ridalloc_allocate_rid()
...
metze
2010-07-09 09:27:14 +02:00
Stefan Metzmacher
3b8c9276dc
s4:dsdb:ridalloc: use ridalloc_ridset_values infrastructure in ridalloc_create_rid_set_ntds()
...
metze
2010-07-09 09:27:14 +02:00
Stefan Metzmacher
12d26d59bd
s4:dsdb:ridalloc: add ridalloc_ridset_values infrastructure
...
metze
2010-07-09 09:27:13 +02:00
Stefan Metzmacher
bbed1fdfcd
s4:dsdb:ridalloc: use dsdb_module_constrainted_update_uint64() to update rIDAvailablePool
...
metze
2010-07-09 09:27:13 +02:00
Stefan Metzmacher
ad17333114
s4:dsdb:ridalloc.c: fix C++ warning
...
metze
2010-07-09 09:27:12 +02:00
Stefan Metzmacher
217177a4df
s4:dsdb: add dsdb_module_constrainted_update_uint32/64() wrapper functions
...
metze
2010-07-09 09:27:12 +02:00
Stefan Metzmacher
65ca5a3542
s4:dsdb: add dsdb_msg_constrainted_update_uint32/64() wrapper functions
...
metze
2010-07-09 09:27:11 +02:00
Stefan Metzmacher
1d6f321a91
s4:dsdb: add dsdb_module_constrainted_update_int32/64() functions
...
metze
2010-07-09 09:27:11 +02:00
Stefan Metzmacher
388e955f28
s4:dsdb: add dsdb_msg_constrainted_update_int32/64() functions
...
metze
2010-07-09 09:27:11 +02:00
Matthias Dieter Wallnöfer
6b7e436871
s4:acl LDB module - password attributes - check also the "dBCSPwd" attribute
...
It's also a possible password change/set attribute candidate.
2010-07-08 21:52:15 +02:00
Matthias Dieter Wallnöfer
921308f1e8
s4:acl LDB module - move a "mem_ctx" creation to the place where it is actually checked
...
Memory allocations and their result checks should be as tight as possible.
2010-07-08 19:28:44 +02:00
Nadezhda Ivanova
10c60f2372
Added a test to prove by default users can change each other's pass if the old is known
2010-07-08 15:38:16 +03:00
Kamen Mazdrashki
609b865691
s4-dsdb/util: Reorder DSDB_FLAG_* checks
...
On good thing about having more clear function interfaces
(and forcing callers to specify clearly what they want)
is that now I can execute following search:
git grep DSDB_FLAG_NEXT_MODULE | wc -l
This showed that DSDB_FLAG_NEXT_MODULE flag is about 6 times
more frequently used than DSDB_FLAG_OWN_MODULE.
So this should reduce branch prediction by six times
in this part of the code, right :)
2010-07-08 02:38:36 +03:00
Kamen Mazdrashki
0c4bbb7106
s4-dsdb: Implement module switching in dsdb_module_search_dn()
...
This allows caller to choose from where to start DN search
2010-07-08 02:38:36 +03:00
Kamen Mazdrashki
62a0f11dcb
s4-source4/dsdb/samdb/ldb_modules/acl.c Use DSDB_FLAG_NEXT_MODULE flag
2010-07-08 02:38:35 +03:00
Kamen Mazdrashki
02f0c6d1eb
s4-source4/dsdb/samdb/ldb_modules/linked_attributes.c Use DSDB_FLAG_NEXT_MODULE flag
2010-07-08 02:38:35 +03:00
Kamen Mazdrashki
0d2116a423
s4-source4/dsdb/samdb/ldb_modules/naming_fsmo.c Use DSDB_FLAG_NEXT_MODULE flag
2010-07-08 02:38:35 +03:00
Kamen Mazdrashki
b18ab82604
s4-source4/dsdb/samdb/ldb_modules/operational.c Use DSDB_FLAG_NEXT_MODULE flag
2010-07-08 02:38:34 +03:00
Kamen Mazdrashki
7694b1964f
s4-source4/dsdb/samdb/ldb_modules/partition_init.c Use DSDB_FLAG_NEXT_MODULE flag
2010-07-08 02:38:34 +03:00
Kamen Mazdrashki
b62715964a
s4-source4/dsdb/samdb/ldb_modules/pdc_fsmo.c Use DSDB_FLAG_NEXT_MODULE flag
2010-07-08 02:38:33 +03:00
Kamen Mazdrashki
2ee14378c3
s4-source4/dsdb/samdb/ldb_modules/repl_meta_data.c Use DSDB_FLAG_NEXT_MODULE flag
2010-07-08 02:38:33 +03:00
Kamen Mazdrashki
d7bcac5a9f
s4-source4/dsdb/samdb/ldb_modules/ridalloc.c Use DSDB_FLAG_NEXT_MODULE flag
2010-07-08 02:38:33 +03:00
Kamen Mazdrashki
dc720739ab
s4-source4/dsdb/samdb/ldb_modules/samba_dsdb.c Use DSDB_FLAG_NEXT_MODULE flag
2010-07-08 02:38:32 +03:00
Kamen Mazdrashki
8c7a6a8dc7
s4-source4/dsdb/samdb/ldb_modules/schema_load.c Use DSDB_FLAG_NEXT_MODULE flag
2010-07-08 02:38:32 +03:00
Kamen Mazdrashki
64c31b7e0a
s4-source4/dsdb/samdb/ldb_modules/util.c Use DSDB_FLAG_NEXT_MODULE flag
2010-07-08 02:38:32 +03:00
Andrew Tridgell
87df785a68
s4-dsdb: use ldb_operr() in the dsdb code
...
this replaces "return LDB_ERR_OPERATIONS_ERROR" with "return ldb_operr(ldb)"
in places in the dsdb code where we don't already explicitly set an
error string. This should make is much easier to track down dsdb
module bugs that result in an operations error.
2010-07-07 20:14:55 +10:00
Matthias Dieter Wallnöfer
502bddf767
s4:new_partition LDB module - fix an uninitalised variable warning
...
> [ 651/1946] Compiling dsdb/samdb/ldb_modules/new_partition.c
> ../dsdb/samdb/ldb_modules/new_partition.c: In function 'new_partition_add':
> ../dsdb/samdb/ldb_modules/new_partition.c:195: warning: 'down_req' may be used uninitialized in this function
The "down_req" variable isn't used anymore.
2010-07-06 21:54:21 +02:00
Matthias Dieter Wallnöfer
9c8135785a
s4:dsdb - samdb_result_force_password_change - also when "pwdLastSet" is "-1" we shouldn't force a password change
...
This value is set by the ADUC console.
2010-07-06 21:54:20 +02:00
Stefan Metzmacher
a236bc4b33
s4:dsdb/password_hash: implement DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID
...
metze
2010-07-05 18:00:15 +02:00
Stefan Metzmacher
6d7b9648e5
s4:dsdb: allocate DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID
...
When importing users from Samba3 we need to control all values.
metze
2010-07-05 18:00:14 +02:00
Stefan Metzmacher
24d6950f63
s4:dsdb/password_hash: fix some c++ compiler warnings
...
metze
2010-07-05 18:00:14 +02:00
Nadezhda Ivanova
d300085868
Changed passwords.py to use the correct account as acl checks now pass.
2010-07-05 00:20:37 +03:00
Nadezhda Ivanova
81240b13b3
s4-dsdb: Implementation of User-Change-Password and User-Force-Password-Change
...
These CARs need to be checked on password change and password reset operations.
Apparently the password attributes are not influenced by Write Property.
Single detele operations and modifications of dBCSPwd are let through to the
password_hash module. This is determined experimentally.
2010-07-05 00:17:38 +03:00
Matthias Dieter Wallnöfer
343e9320ba
s4:subtree_rename LDB module - Cosmetic fixes
2010-07-04 22:05:18 +02:00
Matthias Dieter Wallnöfer
7d483cdc04
s4:subtree_delete LDB module - fix comments and add my copyright
...
(I've introduced the subtree delete mechanism)
2010-07-04 22:05:17 +02:00
Matthias Dieter Wallnöfer
f41d9eb8dc
s4:dsdb/tests/python/ldap_schema.py - remove a now useless "schemaUpdateNow" request
...
"schemaUpdateNow" on s4 is now a non-op and therefore not strictly needed anymore.
2010-07-03 15:37:45 +02:00
Matthias Dieter Wallnöfer
465c601071
s4:urgent_replication.py test - remove unneeded "relax" control parameters
2010-07-03 15:30:20 +02:00
Matthias Dieter Wallnöfer
326aac06f5
s4:schema_load LDB module - fix a segfault condition on schema refresh
...
The schema refresh operation itself starts requests from the top of the LDB
modules stack (see call "dsdb_schema_set_attributes" - search operations).
This doesn't work well when these do perform "dsdb_get_schema" calls. Since the
new schema isn't marked as "refreshed" atm (but in fact it still is - we didn't
terminate the reload/refresh yet) we could perform other calls to
"dsdb_schema_refresh" and run into serious trouble (segfault).
2010-07-03 15:28:57 +02:00
Matthias Dieter Wallnöfer
02eab66026
s4:schema_set.c - Fix a comment
2010-07-03 14:53:03 +02:00
Matthias Dieter Wallnöfer
d1ee7ab16e
s4:dsdb_schema_set_attributes - remove unneeded filter criterias
...
We already choose the right entry by specifying the right basedn with scope
"LDB_SCOPE_BASE".
2010-07-03 14:53:02 +02:00
Matthias Dieter Wallnöfer
368aa25f7c
s4:dsdb_module_load_partition_usn - check for "res->count" equal/unequal to 1
2010-07-03 12:47:46 +02:00
Matthias Dieter Wallnöfer
4df9757b48
s4:schema_set.c - fix typo
2010-07-03 12:36:34 +02:00
Matthias Dieter Wallnöfer
de81160e75
s4:schema_load.c - jump to "failed" on an error condition
2010-07-03 12:35:16 +02:00
Matthias Dieter Wallnöfer
ec9fa906c7
s4:dsdb/tests/passwords.py - set and reset the "minPwdAge" properly
...
After a patch proposal of Nadya and some reflection I think that it's really
worth to change all tests which need a "0" "minPwdAge" to set it manually and
reset the default afterwards.
So we can finally introduce the default "minPwdAge" on provision.
Patch proposal by: Nadya Ivanova
2010-07-03 11:28:21 +02:00
Nadezhda Ivanova
86cde0a7dc
Tests for user-change-password and force-password-change access rights
2010-07-02 16:38:05 +03:00
Anatoliy Atanasov
62341537d7
s4/schema: remove unnecessary deletion of dsdb_schema cached pointer
...
This is needed so we can find and free old schemas based using
the cached pointer
2010-07-02 11:55:33 +03:00
Andrew Tridgell
2671b5aeb0
s4-dsdb: fixed spelling of supportedSASLMechanisms
...
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-07-02 12:49:04 +10:00
Andrew Bartlett
c48279896d
s4:dsdb Ensure we free old schema copies
...
It was reported by aatanasov that we kept around one whole schema per
modification made. This does not fix that, but I hope moves us closer
to a fix
The most important part of the fix is that:
- if (schema_out != schema_in) {
- talloc_unlink(schema_in, ldb);
- }
was the wrong way around. This is now handled in the schema_set calls.
Andrew Bartlett
2010-07-02 10:08:16 +10:00
Kamen Mazdrashki
5a66edc99e
s4/dsdb: Assert DSDB_FLAG_*_MODULE is always passed in function call
...
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:08:12 +10:00
Kamen Mazdrashki
73474998e1
s4-source4/dsdb/samdb/ldb_modules/util.c Use DSDB_FLAG_NEXT_MODULE flag
...
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:08:07 +10:00
Kamen Mazdrashki
682f7a5338
s4-source4/dsdb/samdb/ldb_modules/subtree_delete.c: Use DSDB_FLAG_NEXT_MODULE flag
...
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:08:02 +10:00
Kamen Mazdrashki
bf373d5c29
s4-source4/dsdb/samdb/ldb_modules/schema_load.c: Use DSDB_FLAG_NEXT_MODULE flag
...
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:07:57 +10:00
Kamen Mazdrashki
7c653c429a
s4-source4/dsdb/samdb/ldb_modules/samldb.c: Use DSDB_FLAG_NEXT_MODULE flag
...
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:07:53 +10:00
Kamen Mazdrashki
0e023f2340
s4-source4/dsdb/samdb/ldb_modules/samba3sid.c: Use DSDB_FLAG_NEXT_MODULE flag
...
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:07:48 +10:00
Kamen Mazdrashki
30a69eb4a0
s4-source4/dsdb/samdb/ldb_modules/rootdse.c: Use DSDB_FLAG_NEXT_MODULE flag
...
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:07:43 +10:00
Kamen Mazdrashki
68c6e607d9
s4-source4/dsdb/samdb/ldb_modules/ridalloc.c: Use DSDB_FLAG_NEXT_MODULE flag
...
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:07:39 +10:00
Kamen Mazdrashki
f3f87e8dee
s4-source4/dsdb/samdb/ldb_modules/repl_meta_data.c: Use DSDB_FLAG_NEXT_MODULE flag
...
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:07:34 +10:00
Kamen Mazdrashki
b29921b82e
s4-dsdb/samdb/ldb_modules/linked_attributes.c: make use of DSDB_FLAG_NEXT_MODULE flag
...
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:07:27 +10:00
Kamen Mazdrashki
f570eec264
s4/dsdb: Add DSDB_FLAG_NEXT_MODULE flag
...
Although it is not currently used in implementation,
my intention is for callers to clearly state what
action they want to execute.
Currently when a caller wants to pass the call to the next
module in the chain, this flag is either omitted or 0 is used
(which is somewhat hacky, isn't it)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:07:09 +10:00
Matthias Dieter Wallnöfer
c2e2f783d0
s4:dsdb/tests/python/passwords.py - add the right result codes for user password changes
...
They will be enabled once the ACL modules supports it. It was my fault to not
import them earlier.
2010-07-01 17:23:01 +02:00
Stefan Metzmacher
14f8953aa4
s4:dsdb: move dsdb python tests from lib/ldb/ to dsdb/
...
metze
2010-06-30 11:10:28 +02:00
Anatoliy Atanasov
6abfe8904a
s4:schema/schema_set.c - free LDB message diffs
...
Especially the "free"s after "ldb_msg_diff" are very important since the diff
message is allocated on the long-living LDB context.
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
2010-06-30 09:17:44 +02:00
Andrew Bartlett
32b8b401d6
s4:dsdb Fix possible schema segfaults for DRS-replication based schema
...
The problem here is that if the schema has been modified on the source
domain, there may be attributes that appear over DRS with 0 values (to
indicate that any existing values on the target should be deleted).
This would confuse the previous version of this macro.
Andrew Bartlett
2010-06-30 10:22:59 +10:00
Matthias Dieter Wallnöfer
4f029f6f1b
s4:dsdb/new_partition.c - remove the "ldb_next_request" call which we find also below the "if" block
2010-06-29 22:23:15 +02:00
Matthias Dieter Wallnöfer
0e21b4ffa0
Revert "s4/dsdb: Fixed partition_search() not to pass special DN's to LDAP backend."
...
This reverts commit ed4c107bc1
.
See post "Endi's Bug 7530 patches (LDAP backend)" on samba-technical.
2010-06-29 15:14:32 +02:00
Nadezhda Ivanova
845e7a609d
Fixed incorrect use of cn instead of lDAPDisplayName
2010-06-29 11:46:22 +03:00
Andrew Bartlett
94637e5fe4
s4:provision Add an msDS-SupportedEncryptionTypes entry to our DC
...
This ensures that our DC will use all the available encyption types.
(The KDC reads this entry to determine what the server supports)
Andrew Bartlett
2010-06-29 16:59:22 +10:00
Kamen Mazdrashki
1e8876a4f1
s4/repl_meta_data: remove duplicated (and commented out) log
2010-06-29 00:35:23 +03:00
Endi S. Dewata
ed4c107bc1
s4/dsdb: Fixed partition_search() not to pass special DN's to LDAP backend.
...
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
2010-06-28 19:33:45 +02:00
Matthias Dieter Wallnöfer
4fc51ad07a
s4:repl_meta_data LDB module - fix counter type
2010-06-28 14:51:09 +02:00
Matthias Dieter Wallnöfer
fc2d8fcb83
s4:acl LDB module - fix counter type
2010-06-28 14:51:09 +02:00
Nadezhda Ivanova
5a18fc2b2a
Implementation of self membership validated right.
...
When this right is granted, the user can add or remove themselves from a group even
if they dont have write property right.
2010-06-28 10:43:50 +03:00
Kamen Mazdrashki
431386f327
s4/drs: re-implement 'renaming' object replication
...
We should rename objects only after we make sure, that
changes on the partner DC are newer than what we have.
This fixes a bug, when we have following situation with 2 DCs:
- we have an object O on the two DCs
- we rename (delete) object O on DC1
- DC1 replicates from DC2
In the above scenario, object O will be renamed back
to its original name (i.e. it will be restored).
Now, we check that DC2 state is older than what we have,
so nothing happens with object's DN.
2010-06-28 04:43:29 +03:00
Stefan Metzmacher
7905901bc0
s4:dsdb/ridalloc: add comment about windows behavior regarding rIDUsedPool
...
metze
2010-06-26 09:50:55 +02:00
Kamen Mazdrashki
163ed44903
s4/drs: DsReplicaSync should search partition to Sync
...
by any valid DSName attribute given, be it - partition DN,
partition GUID or partition SID
2010-06-25 04:51:59 +03:00
Andrew Tridgell
4cb423f527
s4-python: python is not always in /usr/bin
...
Using "#!/usr/bin/env python" is more portable. It still isn't ideal
though, as we should really use the python path found at configure
time. We do that in many places already, but some don't.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-24 18:46:57 +10:00
Andrew Bartlett
c4482bf53e
libds:common Remove DS_DC_* domain functionality flags
...
These are just a subset of the DS_DOMAIN_ functionality flags, are compared and often confused with each other. Just make them one set.
Andrew Bartlett
2010-06-23 20:10:03 +10:00
Matthias Dieter Wallnöfer
26a95463a6
s4:operational LDB module - fix a misleading comment
2010-06-23 09:53:23 +02:00
Matthias Dieter Wallnöfer
0e637be43b
s4:password_hash LDB module - fix another problem regarding the lanman hash
...
When a user only provides only the lanman hash (and nothing else) and the
lanman authentication is deactivated then we end in an account with no
password attribute at all! Lock this down.
2010-06-22 22:21:04 +02:00
Matthias Dieter Wallnöfer
c38f94ed9b
s4:dsdb_load_partition_usn - free the right memory context (tmp_ctx)
2010-06-21 11:10:02 +02:00
Kamen Mazdrashki
3aa8853f58
s4/dsdb: msg_idx->dn should be allocated in msg_idx mem context
2010-06-21 02:57:56 +03:00
Kamen Mazdrashki
cc7e2c10f2
s4/dsdb: Move schema accessors cleanup in separate function
...
This way dsdb_setup_sorted_accessors() will
free memory allocated for accessor arrays correctly
in case of failure,
2010-06-21 02:57:56 +03:00
Kamen Mazdrashki
267645ca55
s4/dsdb-schema: Index attributes on msDS-IntId value
...
O(n) search for dsdb_attribute by msDS-IntId value was
replaced by binary-search in ordered index.
I've choosen the approach of separate index on msDS-IntId values
as I think it is more clear what we are searching for.
And it should little bit faster as we can clearly determine
in which index to perform the search based on ATTID value -
ATTIDs based on prefixMap and ATTIDs based on msDS-IntId
are in separate ranges.
Other way to implement this index was to merge msDS-IntId values
in attributeID_id index.
This led me to a shorted but not so obvious implementation.
2010-06-21 02:57:55 +03:00
Matthias Dieter Wallnöfer
fbd0902958
s4:subtree_delete LDB module - now do support tree delete operations
2010-06-20 18:52:30 +02:00
Matthias Dieter Wallnöfer
87d0f63632
s4:dsdb - add a new dsdb delete function which understands the tree delete control
2010-06-20 18:52:29 +02:00
Matthias Dieter Wallnöfer
2fb715b484
s4:samldb LDB module - remove "samldb_set_defaultObjectCategory"
...
As far as I can tell and the test show the DN gets now normalised automatically
when stored into the database.
Anyway, if we find a case where this doesn't happen then I propose to do it
centrally for all DN attributes in common since we should get away from special
attribute hacks as far as possible.
2010-06-20 18:52:27 +02:00
Jelmer Vernooij
9e02764f7c
pydsdb: Mark all SamDB and Schema methods that are in pydsdb as
...
private, to discourage them being called directly.
2010-06-20 15:22:49 +02:00
Matthieu Patou
f3e7d0ae8f
s4: Using control bypassoperational allow the logic of this module to be bypassed for some given attributes
...
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
2010-06-20 00:43:08 +02:00
Jelmer Vernooij
74309eb29c
pydsdb: Move write_prefixes_from_schema_to_ldb to pydsdb from pyglue.
2010-06-19 22:46:43 +02:00
Jelmer Vernooij
a4f60ffe4b
pydsdb: Move dsdb_set_schema_from_ldb to pydsdb.
2010-06-19 22:46:43 +02:00
Jelmer Vernooij
05b108a06b
pydsdb: Move set_schema_from_ldif function to pydsdb from pyglue.
2010-06-19 22:46:43 +02:00
Matthias Dieter Wallnöfer
131be8da0f
s4:instancetype LDB module - "instanceType" is single-valued - MS-ADTS 3.1.1.5.2.2
2010-06-19 19:37:47 +02:00
Matthias Dieter Wallnöfer
d16697df49
s4:objectclass LDB module - disable delete operations when "SYSTEM_FLAG_DISALLOW_DELETE" is specified
2010-06-19 17:53:19 +02:00
Matthias Dieter Wallnöfer
46bcf883bf
s4:rootdse LDB module - strip trailing whitespaces
2010-06-19 17:53:18 +02:00
Matthias Dieter Wallnöfer
7f46a91e77
s4:rootdse LDB module - protect add and delete operations on the rootdse entry
2010-06-19 17:53:18 +02:00
Matthias Dieter Wallnöfer
72e14ea8bd
s4:rootdse LDB module - Return "UNWILLING_TO_PERFORM" when no attribute fits on a change
2010-06-19 17:53:17 +02:00
Matthias Dieter Wallnöfer
2af67a3602
s4:rootdse LDB module - refactor error messages
...
Fix indentations, use "set_errstring" when no "asprintf" functionality required.
2010-06-19 17:53:16 +02:00
Matthias Dieter Wallnöfer
a4381239ba
s4:objectclass LDB module - use the old DN when displaying error messages
2010-06-19 17:53:16 +02:00
Matthias Dieter Wallnöfer
ee2bb4474f
s4:objectclass LDB module - add a better message when the parent DN is invalid
2010-06-19 17:53:15 +02:00
Matthias Dieter Wallnöfer
04890bb750
s4:objectclass LDB module - add an error message when someone tries to add entries without objectclasses
2010-06-19 17:53:15 +02:00
Matthias Dieter Wallnöfer
9da8b06112
s4:objectclass LDB module - handle the case when there is a retry to add the root basedn
...
This isn't quitted with a normal "NO_SUCH_OBJECT" (parent not found) but with a
very special referral: one with the DN itself and the hostname is the last
component value of the DN.
2010-06-19 17:53:14 +02:00
Jelmer Vernooij
b03637cb9e
dsdb: Fix includes when building against system ldb.
2010-06-19 14:46:22 +02:00
Jelmer Vernooij
ccaf0c6038
dsdb: Use Samba includes so _PUBLIC_ is defined.
2010-06-19 13:55:41 +02:00
Jelmer Vernooij
238e89f7b0
dsdb: Make module ops struct for each module public.
2010-06-19 13:46:39 +02:00
Matthias Dieter Wallnöfer
955e1835ef
s4:objectclass LDB module - move "mem_ctx" initialisation lower
...
Saves us some "talloc_free"s on error cases
2010-06-18 10:03:09 +02:00
Jelmer Vernooij
bd8fcd869d
s4: Fix build when there is a system-provided ldb.
2010-06-16 18:13:18 +02:00
Matthias Dieter Wallnöfer
233ce18a17
s4:linked attributes LDB module - strip trailing whitespaces
2010-06-16 15:34:41 +02:00
Matthias Dieter Wallnöfer
e190683b59
s4:linked_attributes LDB module - cosmetics
...
- unsigned counters for LDB objects
- we tend to have the "ret" variable always as the last declaration to see
which type of error a function returns
2010-06-16 15:34:41 +02:00
Stefan Metzmacher
6dbcffb51d
s4:lib: merge LDB_WRAP and LDBSAMBA and make LDBSAMBA a library.
...
This is needed to remove samba specifc symbols from the bundled
ldb, in order to get the ABI right.
metze
Signed-off-by: Andreas Schneider <asn@samba.org>
2010-06-16 14:07:28 +02:00
Andrew Bartlett
18f3e5113a
s4:dsdb Allow renames with (now removed) linked attributes
...
It is important to allow the rename, even if we just have one-way
links, as this happens on deleted objects, which have the backlinks
alredy removed by repl_meta_data.
Andrew Bartlett
2010-06-16 12:05:31 +10:00
Andrew Bartlett
25abcb6818
s4:dsdb Fix linked_attributes to cope with the Feb 2010 changes to DLIST
...
The DLIST macros changed in behaviour in Feb 2010, and walking the
lists backwards is no longer safe if you don't use the macros.
Andrew Bartlett
2010-06-16 09:57:52 +10:00
Andrew Bartlett
5150f8597a
s4:dsdb Assert that we can't get backlinks as input in linked_attributes
...
The objectclass_attr module should prevent users creating such links,
and the mrepl_meta_data module should only create them in functional
level 2003 or above.
Andrew Bartlett
2010-06-16 09:57:52 +10:00
Andrew Bartlett
ec6839ac26
s4:dsdb use dsdb_module_modify() rather than ldb_next_request()
...
This does exactly the same thing, but with less code.
Andrew Bartlett
2010-06-16 09:57:51 +10:00
Andrew Bartlett
ffa787772f
s4:dsdb Handle backlinks for Windows 2000 level linked attributes
...
This revives the code from 5964acfa74
,
before tridge and I simplified this too much, and removed the Windows
2000 functional level linked attribute support.
By telling the linked_attributes module that repl_meta_data has
handled the links, we avoid a conflict for the new style (functional
level 2003 and above) linked attributes. However, we still need
backlinks for 2000 style linked attributes, so this allows that code
in the linked_attributes module to be revived to handle those.
Andrew Bartlett
2010-06-16 09:57:51 +10:00
Andrew Bartlett
ecfce7365c
s4:dsdb Add control for signaling between repl_meta_data and linked_attributes
...
This control will allow the linked_attributes module to know if
repl_meta_data has already handled the creation of forward and back
links.
Andrew Bartlett
2010-06-16 09:57:51 +10:00
Jelmer Vernooij
7fe9e6cd69
dsdb: Fix includes when building against system ldb.
2010-06-15 13:15:50 +02:00
Jelmer Vernooij
6c9336110c
dsdb: Build modules as external modules when using system ldb.
2010-06-15 13:15:50 +02:00
Andrew Bartlett
b16e602660
s4:dsdb Move linked attribute restrictions to objectclass_attrs
...
This puts more of the schema restrictions in one place.
Andrew Bartlett
2010-06-15 10:54:09 +10:00
Andrew Bartlett
8ea4118472
s4:dsdb Add const to dsdb_dn functions that operate on an ldb_val.
...
Andrew Bartlett
2010-06-15 10:53:50 +10:00
Andrew Bartlett
7c60ac97bf
s4:provision Allow a specific prefix map to be loaded into a new schema provision
...
This allows the prefixMap from a DRS server to be used when loading
the schema from the local files. This helps us then import other
schema with this map in place.
Andrew Bartlett
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
2010-06-15 10:51:34 +10:00
Andrew Bartlett
5323485eb3
s4:dsdb Allow the setting an override on the schema
...
The change here is to try and convert a per the previous rules, but if
we don't know a particular OID as a attributeID, then store it as an
OID (for example). This allows known values to be converted as
before, but still copes with unknown values.
Andrew Bartlett
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
2010-06-15 10:51:34 +10:00
Andrew Bartlett
6a2f7fe04c
s4:dsdb Use the schema from our local provision to decode the schema
...
This works on the assumption that the schema partition can only
contain schema objects.
We may need to pass down some kind of 'relax' to the DRS -> LDB
conversion code, so that it allows incomplete conversions, so that we
don't fail if a new attribute is present, and we can't decode it.
This would then be resolved the second time we do the conversion.
Andrew Bartlett
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
2010-06-15 10:51:34 +10:00
Matthias Dieter Wallnöfer
4b6ce8efc0
s4:fix allocated control OIDs for "password_hash" LDB module
...
The password hash module controls overlapped others. Sorry, but the
"schema_samba4.ldif" hasn't been kept up-to-date.
2010-06-13 18:35:19 +02:00
Jelmer Vernooij
51058213cb
s4-test: Use smb.conf path set in environment rather than using
...
command-line options.
This is the first step towards supporting custom test runners.
2010-06-13 18:19:03 +02:00
Matthias Dieter Wallnöfer
890d590e51
s4:password_hash LDB module - this does really deactivate the MS LAN manager hash
...
Previously, only the conversion from cleartext to the LM hash was deactivated,
and not when the user specified it directly through "dBCSPwd".
2010-06-12 16:45:49 +02:00
Matthias Dieter Wallnöfer
3e98262c71
s4:password_hash LDB module - fix comment
2010-06-12 16:45:49 +02:00
Andrew Bartlett
8d8678fcfd
s4:dsdb Allow calling dsdb_convert_object_ex() directly
...
This will allow the libnet_vampire code to manually convert individual
schema objects.
Andrew Bartlett
2010-06-12 11:19:19 +10:00
Andrew Bartlett
088d5b76ca
s4:dsdb Simplfy match of objectclass in dsdb_schema_set_el_from_ldb_msg
...
There is no need to do a full ldb_match_msg() for a simple case
insensitive string.
Andrew Bartlett
2010-06-12 11:18:41 +10:00
Andrew Bartlett
d6f5c1ace2
s4:dsdb Provide a function to convert from DRS prefix maps to the LDB prefixmap
...
This allows us to push a prefixmap directly into the schema we
generate in the provision code.
Andrew Bartlett
2010-06-12 11:17:22 +10:00
Andrew Bartlett
e82836467c
s4:dsdb Add more debugs to help track down failures to parse the prefixmap
2010-06-12 11:17:14 +10:00
Andrew Bartlett
c6bf8e4cad
s4:dsdb Put back the reference and set_attributes in dsdb_reference_schema
...
I'm not sure why I removed these in fe3e1af901
Andrew Bartlett
2010-06-12 11:16:49 +10:00
Matthias Dieter Wallnöfer
b61fa4b676
s4:rootdse LDB module - use LDB result constants
2010-06-11 10:19:19 +02:00
Matthias Dieter Wallnöfer
d604d49939
s4:samldb LDB module - fix up the case when the old and new "primaryGroupID" are the same
2010-06-10 16:22:09 +02:00
Matthias Dieter Wallnöfer
13ca999b3b
s4:samldb LDB module - don't create multiple "ac" module contexts on modify operations
...
Since we do now run sequentially through all checks we don't need multiple "ac"
contexts anymore.
2010-06-10 16:22:08 +02:00
Matthias Dieter Wallnöfer
1305c91598
s4:samba_dsdb LDB module - move the "objectclass_attrs" module back
...
I think it should be lower in order to control also the "instanceType" module.
2010-06-10 16:22:06 +02:00
Matthias Dieter Wallnöfer
0a41b7e95b
s4:instancetype LDB module - prevent all types of "instanceType" manipulation
...
Also on Windows Server you aren't able to change it.
2010-06-10 16:22:05 +02:00
Matthias Dieter Wallnöfer
1949864417
s4:objectclass_attrs LDB module - move the single-valued attribute check into this module
...
It seems to me more consistent (and also to keep the same behaviour on all
backends).
Also the DRS hack should therefore not be needed anymore since the
"repl_meta_data" module launches requests behind "objectclass_attrs".
2010-06-07 20:54:10 +02:00
Matthias Dieter Wallnöfer
0dc88d2745
s4:samba_dsdb LDB module - fix typos
2010-06-07 15:02:38 +02:00
Matthias Dieter Wallnöfer
63a8c65861
s4:samba_dsdb LDB module - enhance/fix module rule comments
2010-06-07 15:00:26 +02:00
Matthias Dieter Wallnöfer
e3c686daec
s4:objectclass LDB module - rework the code which handles the objectclasses modification
...
Before it has been very incomplete. We try now to match the Windows Server
behaviour as close as possible.
2010-06-07 14:47:25 +02:00
Matthias Dieter Wallnöfer
ee278bf0c4
s4:acl LDB module - LDB attribute names should be compared using "ldb_attr_cmp" or "strcasecmp"
2010-06-07 14:47:24 +02:00
Matthias Dieter Wallnöfer
566d13c5d1
s4:acl LDB module - adaption for "objectclass_attrs" module
...
Since the attribute schema checking code moved back we need to give here the
"LDB_ERR_NO_SUCH_ATTRIBUTE" error.
2010-06-07 14:47:24 +02:00
Matthias Dieter Wallnöfer
e7eef53fe5
s4:objectclass LDB module - remove "fix_check_attributes"
...
Also this task is now performed by the "objectclass_attrs" LDB module.
2010-06-07 14:47:23 +02:00
Matthias Dieter Wallnöfer
227144e050
s4:samldb LDB module - adjust the module to set always a "defaultObjectCategory" on objectclass add operations
...
This is needed to make the "objectclass_attrs" LDB module happy. The search
check and case adjustment are done as it was using a second modify operation.
2010-06-07 14:47:23 +02:00
Matthias Dieter Wallnöfer
bd910952ba
s4:remove the "validate_update" LDB module - the task is now handled by the far more complete "objectclass_attrs" LDB module
2010-06-07 14:47:23 +02:00
Matthias Dieter Wallnöfer
2586cbaadc
s4:dsdb - introduce a new "objectclass_attrs" LDB module which performs the objectclass attributes checking
...
Until now we had no real consistent mechanism which allowed us to check if
attributes belong to the specified objectclasses.
2010-06-07 14:47:22 +02:00
Matthias Dieter Wallnöfer
9e56b54414
s4:objectclass LDB module - instanciate the schema variable centrally on the "ac" context creation
...
This unifies the position when the schema is read and prevents multiple
instanciations (eg on a modification operation).
2010-06-07 14:47:22 +02:00
Matthias Dieter Wallnöfer
da90868907
s4:samldb LDB module - finally we can remove the RDN check
...
This is now dynamically always done by the objectclass LDB module
2010-06-07 14:47:22 +02:00
Matthias Dieter Wallnöfer
ec9b6f3c60
s4:objectclass LDB module - finally implement the correct entry rename protections
...
Only the "systemFlags" check is still missing.
2010-06-07 14:47:21 +02:00
Matthias Dieter Wallnöfer
0ca17eaa15
s4:objectclass LDB module - cosmetic change
2010-06-07 14:47:21 +02:00
Matthias Dieter Wallnöfer
c6020ccb87
s4:objectclass LDB module - remove duplicated code
2010-06-07 14:47:20 +02:00
Matthias Dieter Wallnöfer
95da724325
s4:objectclass LDB module - fix counter variable types
2010-06-07 14:47:20 +02:00
Matthias Dieter Wallnöfer
0408ec11a9
s4:objectclass LDB module - explain why the search can return with an empty return
2010-06-07 14:47:20 +02:00
Matthias Dieter Wallnöfer
6afa5a733c
s4:objectclass LDB module - this "talloc_steal" is not necessary
...
The "parent_dn" was created on the "ac" context which lives anyway longer
than this child request.
2010-06-07 14:47:19 +02:00
Matthias Dieter Wallnöfer
2d3760c04c
s4:objectclass LDB module - fix error result if an entry doesn't contain a structural objectclass
...
We need to return LDB_ERR_UNWILLING_TO_PERFORM (not LDB_ERR_NAMING_VIOLATION).
2010-06-07 14:47:19 +02:00
Matthias Dieter Wallnöfer
2a294d380f
s4:objectclass LDB module - use "ldb_oom" for expressing out of memory
2010-06-07 14:47:19 +02:00
Matthias Dieter Wallnöfer
3c4336bf94
s4:objectclass LDB module - fix header and add my copyright
2010-06-07 14:47:19 +02:00
Matthias Dieter Wallnöfer
98b98a29f6
s4:password_hash LDB module - adapt the module to the new "ldb_msg_remove_attr" behaviour
2010-06-06 23:13:15 +02:00
Matthias Dieter Wallnöfer
93db960fae
s4:samldb LDB module - this codepart isn't needed due to the objectclass LDB module
...
When a "computer" entry will be added, also the inherited "user" objectclass is
going to be specified.
2010-06-06 20:48:58 +02:00
Matthias Dieter Wallnöfer
df63b2ca0e
s4:get_last_structural_class - only real structural classes can be candidates for fetching the last one
...
Classes with objectCategory = 1 are always structural, these with
objectCategory = 0 also (as we can see in our Windows 2008 R2 schema file where
class "Person" has 0 but is structural).
Abstract classes and auxiliary ones cannot be considered (objectCategory = 2, 3)
http://msdn.microsoft.com/en-us/library/ms677964(VS.85).aspx
2010-06-06 20:48:42 +02:00
Matthias Dieter Wallnöfer
cadf774f8b
s4:dsdb/common/util.c - provide a better implementation of the "samdb_msg_add_(add/del)val" calls
...
This supports now also coexisting add and delete message elements with the
same attribute name.
2010-06-06 20:47:10 +02:00
Matthias Dieter Wallnöfer
45171d6108
s4:ridalloc LDB module - add more "talloc_free"s where useful
...
Some were missing on failure return branches.
2010-06-06 20:44:01 +02:00
Matthias Dieter Wallnöfer
787a42ef99
s4:acl LDB module - fix counter types where appropriate
2010-06-06 20:43:38 +02:00
Matthias Dieter Wallnöfer
fc037e029e
s4:descriptor LDB module - cosmetic fixup
2010-06-06 20:43:19 +02:00
Anatoliy Atanasov
3bae05d286
s4: check the sacl and dacl pointers on the old sd
2010-06-01 16:52:46 +03:00
Karolin Seeger
3eab655e54
s4-cracknames: Fix typo in debug message.
...
Karolin
2010-06-01 09:33:53 +02:00
Matthias Dieter Wallnöfer
83788988cb
s4:samldb LDB module - start on a sequential trigger implementation
...
This is a start to allow the triggers to be called sequentially.
2010-05-31 22:43:29 +02:00
Matthias Dieter Wallnöfer
0fce829de4
s4:dsdb_load_udv_v1 - "uint32_t" counter type fits better than "unsigned int"
2010-05-31 22:43:28 +02:00
Jelmer Vernooij
82d56b9374
ldb: Fix dependencies when building with system ldb.
2010-05-31 19:22:03 +02:00
Matthias Dieter Wallnöfer
463d5f0afc
s4:samldb LDB module - deny delete operations on some important attributes
...
Add operations are denied since these are single-valued - only replace is
allowed.
This is only provisorily at the moment - we need to implement the triggers
specified in MS-ADTS.
2010-05-30 23:13:09 +02:00
Matthias Dieter Wallnöfer
08653ac9c2
s4:samldb LDB module - rework the group change code to be again synchronous
2010-05-30 23:13:08 +02:00
Matthias Dieter Wallnöfer
c2a3792e72
s4:dsdb/samdb/ldb_modules/util.c - make sure to always free temporary data
2010-05-30 20:52:11 +02:00
Matthias Dieter Wallnöfer
b7270fbc99
s4:dsdb_module_search_dn - add code to handle NULL format string
2010-05-30 20:52:10 +02:00
Matthias Dieter Wallnöfer
f927881028
s4:dsdb/common/util.c - fix a counter variable
2010-05-30 20:52:10 +02:00
Matthias Dieter Wallnöfer
189950ce06
s4:dsdb_enum_group_mem - use "unsigned" counters
...
"size_t" counters aren't really needed here (we don't check data lengths).
And we save the result in a certain "num_sids" variable which is of type
"unsigned".
2010-05-24 22:01:36 +02:00
Matthias Dieter Wallnöfer
4d76c0aa80
s4:dsdb_lookup_rids - "unsigned" counters fit better than "signed" in this case
2010-05-24 22:01:20 +02:00
Matthias Dieter Wallnöfer
9696bba1d7
s4:dsdb_add_user - check the "cn"/"account_name" length (should be >= 1)
...
This needed by the "cn_name_len"-1 accesses.
And use a "size_t"-typed variable for storing it (length specificators should
always be stored using "size_t" variables).
2010-05-24 21:55:11 +02:00
Andrew Bartlett
f6aa090202
s4:samr Push most of samr_LookupRids into a helper function
...
This is a rewrite of the lookup_rids code, using a query based on the
extended DN for a clearer interface.
By splitting this out, the logic is able to be shared, rather than
copied, into a passdb wrapper.
Andrew Bartlett
2010-05-24 23:08:56 +10:00
Andrew Bartlett
c6ffd884d9
s4:samr Push most of samr_QueryGroupMember into a helper function
...
This is a rewrite of the group membership lookup code, using the
stored extended DNs to avoid doing the lookup into each member to find
the SID
By splitting this out, the logic is able to be shared, rather than
copied, into a passdb wrapper.
Andrew Bartlett
2010-05-24 23:08:49 +10:00
Andrew Bartlett
20d2847492
s4:samr Move most of samr_CreateDomAlias into a helper function
...
This allows this logic to be shared, rather than copied, into a passdb
wrapper.
Andrew Bartlett
2010-05-24 23:08:11 +10:00
Andrew Bartlett
fc04e565b0
s4:samr Split most of samr_CreateDomainGroup into a helper function
...
This allows this logic to be shared, rather than copied, into a passdb
wrapper.
Andrew Bartlett
2010-05-24 23:08:11 +10:00
Andrew Bartlett
43c931b2d4
s4:samr Split the guts of samr_CreateUser2 into a helper function
...
This allows this logic to be shared, rather than copied, into a passdb
wrapper.
Andrew Bartlett
2010-05-24 23:08:11 +10:00
Andrew Bartlett
e0d141bd46
s4:dsdb Allow a NULL search expression in dsdb_search()
...
The NULL search expression expands to (objectClass=*), but %s expands
NULL to (NULL) which doesn't parse...
Andrew Bartlett
2010-05-24 23:08:11 +10:00
Andrew Bartlett
c8a23147fe
s4:libcli/ldap Rename ldap.h to libcli_ldap.h
...
It is a problem if a samba header is called ldap.h if we also want
to use OpenLDAP's ldap.h
Andrew Bartlett
2010-05-21 17:39:15 +10:00
Matthias Dieter Wallnöfer
4b56aa2771
s4:operational LDB module - fix warnings (missing parameters, unused variable)
2010-05-20 10:23:45 +02:00
Andrew Bartlett
9c6b637ce8
s4:auth Change auth_generate_session_info to take flags
...
This allows us to control what groups should be added in what use
cases, and in particular to more carefully control the introduction of
the 'authenticated' group.
In particular, in the 'service_named_pipe' protocol, we do not have
control over the addition of the authenticated users group, so we key
of 'is this user the anonymous SID'.
This also takes more care to allocate the right length ptoken->sids
Andrew Bartlett
2010-05-20 17:39:10 +10:00
Andrew Bartlett
feb9ffdac8
s4:auth Add dependency from the operational module onto auth
...
We had to split up the auth module into a module loaded by main deamon
and a subsystem we manually init in the operational module.
Andrew Bartlett
2010-05-20 17:39:10 +10:00
Andrew Bartlett
72ccbcacdd
s4:auth Allow the operational module to get a user's tokenGroups from auth
...
This creates a new interface to the auth subsystem, to allow an
auth_context to be created from the ldb, and then tokenGroups to be
calculated in the same way that the auth subsystem would.
Andrew Bartlett
2010-05-20 17:39:10 +10:00
Andrew Bartlett
5f9024c8a4
s4:auth Move BUILTIN group addition into session.c
...
The group list in the PAC does not include 'enterprise DCs' and
BUILTIN groups, so we should generate it on each server, not in the
list we pass around in the PAC or SamLogon reply.
Andrew Bartlett
2010-05-20 17:39:09 +10:00
Andrew Bartlett
564b4c7443
s4:dsdb disable tokenGroups until end of rewrite
...
I need to change the functions this calls
Andrew Bartlett
2010-05-20 17:39:09 +10:00
Kamen Mazdrashki
799eb535a9
s4/metadata: fix whitespaces
2010-05-19 02:49:05 +03:00
Jelmer Vernooij
c0fb7b8180
s3: Fix some more iconv convenience usages.
2010-05-18 11:45:31 +02:00
Jelmer Vernooij
390ada6ec7
Remove more usages of iconv_convenience in files which were apparently not recompiled by waf.
2010-05-18 11:45:31 +02:00
Jelmer Vernooij
b8268cf7b0
s3: Remove use of iconv_convenience.
2010-05-18 11:45:31 +02:00
Jelmer Vernooij
f9ca9e46ad
Finish removal of iconv_convenience in public API's.
2010-05-18 11:45:30 +02:00
Anatoliy Atanasov
26d41c23f6
s4-rodc: Cache am_rodc flag
2010-05-17 13:30:27 +03:00
Matthias Dieter Wallnöfer
d712356569
s4:repl_meta_data LDB module - fix counter types
2010-05-14 19:04:48 +02:00
Matthias Dieter Wallnöfer
6d95a204d7
s4:dsdb_cache LDB module - fix a typo
2010-05-14 19:02:30 +02:00
Matthias Dieter Wallnöfer
da5cd4ba34
s4:samldb LDB module - remove unused variables
2010-05-14 19:02:10 +02:00
Matthieu Patou
f45cbb0a0d
s4: Do not display by default the message Failed to send DsReplicaSync is other host is just unreachable
...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2010-05-13 19:13:30 +02:00
Stefan Metzmacher
11730520a7
s4:dsdb: fix samdb_result_logon_hours() and don't hardcode units_per_week
...
metze
2010-05-13 19:12:42 +02:00
Stefan Metzmacher
7e49fd92ca
s4:dsdb: cached results of samdb_rodc()
...
metze
2010-05-11 18:11:06 +02:00
Anatoliy Atanasov
7200c25646
Revert "s4-rodc: Fix provision warnings by creating ntds objectGUID in provision"
...
This reverts commit c3cbb846d0
.
The fix is not correct, we should cache a bool to answer amIRODC
2010-05-11 12:54:18 +03:00
Stefan Metzmacher
8489934ce3
Revert "s4:password_hash LDB module - don't break the provision"
...
This reverts commit 6276343ce1
.
This is not needed anymore.
metze
2010-05-11 08:38:26 +02:00
Stefan Metzmacher
ad5b9ae8dc
Revert "s4:password hash LDB module - check that password hashes are != NULL before copying them"
...
This reverts commit fa87027592
.
This check is done one level above now.
metze
2010-05-11 08:38:02 +02:00
Stefan Metzmacher
8ff38004e8
s4:dsdb/password_hash: only try to handle a hash in the unicodePwd field if it's given
...
Sorry, I removed this logic while cleaning up indentation levels...
metze
2010-05-11 08:37:03 +02:00
Matthias Dieter Wallnöfer
56421886de
s4:password_hash LDB module - we might not have a cleartext password at all
...
When we don't have the cleartext of the new password then don't check it
using "samdb_check_password".
2010-05-10 23:50:03 +02:00
Matthias Dieter Wallnöfer
4f25baecc1
s4:password_hash LDB module - quiet a warning
2010-05-10 20:04:37 +02:00
Matthias Dieter Wallnöfer
fa87027592
s4:password hash LDB module - check that password hashes are != NULL before copying them
2010-05-10 20:02:21 +02:00
Matthias Dieter Wallnöfer
6276343ce1
s4:password_hash LDB module - don't break the provision
...
This is to don't break the provision process at the moment. We need to find
a better solution.
2010-05-10 19:51:31 +02:00
Matthias Dieter Wallnöfer
029351571a
s4:samdb_set_password - adapt it for the user password change handling
...
Make use of the new "change old password checked" control.
2010-05-10 19:12:26 +02:00
Matthias Dieter Wallnöfer
6e8098b261
s4:samdb_set_password/samdb_set_password_sid - Rework
...
Adapt the two functions for the restructured "password_hash" module. This
means that basically all checks are now performed in the mentioned module.
An exception consists in the SAMR password change calls since they need very
precise NTSTATUS return codes on wrong constraints ("samr_password.c") file
2010-05-10 19:07:46 +02:00
Stefan Metzmacher
fc8e3ffb5f
s4:password_hash - Implement password restrictions
...
Based on the Patch from Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>.
metze
2010-05-10 18:06:54 +02:00
Matthias Dieter Wallnöfer
6a69ec2f5a
s4:password_hash - Rework to handle password changes
...
- Implement the password restrictions as specified in "samdb_set_password"
(complexity, minimum password length, minimum password age...).
- We support only (administrative) password reset operations at the moment
- Support password (administrative) reset and change operations (consider
MS-ADTS 3.1.1.3.1.5)
2010-05-10 18:06:24 +02:00
Matthias Dieter Wallnöfer
12c4b09fd5
s4:password_hash - Rework unique value checks
...
Windows Server performs the constraint checks in a different way than we do.
All testing has been done using "passwords.py".
2010-05-10 17:54:16 +02:00
Matthias Dieter Wallnöfer
3ce4a0c5f2
s4:password_hash - Various (mostly cosmetic) prework
...
- Enhance comments
- Get some more attributes from the domain and user object (needed later)
- Check for right objectclass on change/set operations (instances of
"user" and/or "inetOrgPerson") - otherwise forward the request
- (Cosmetic) cleanup in asynchronous results regarding return values
2010-05-10 17:54:15 +02:00
Matthias Dieter Wallnöfer
726fb35f9f
s4:dsdb: add new controls
...
- Add a new control for getting status informations (domain informations,
password change status) directly from the module
- Add a new control for allowing direct hash changes
- Introduce an addtional control "change_old password checked" for the password
2010-05-10 17:54:15 +02:00
Anatoliy Atanasov
c3cbb846d0
s4-rodc: Fix provision warnings by creating ntds objectGUID in provision
2010-05-10 17:24:02 +03:00
Matthias Dieter Wallnöfer
e2806f9e4d
s4:acl ldb module - fix typos
2010-05-10 12:39:44 +02:00
Matthias Dieter Wallnöfer
946993238f
s4:dsdb/util.c - Add a new function for retrieving password change attributes
...
This is needed since we have not only reset operations on password fields
(attributes marked with REPLACE flag) but also change operations which can be
performed by users itself. They have one attribute with the old value marked
with the REMOVE flag and one with the new one marked with the ADD flag.
This function helps to retrieve them (argument "new" is used for the new
password on both reset and change).
2010-05-10 12:20:27 +02:00
Matthias Dieter Wallnöfer
1cdc46a90a
s4:samldb LDB module - make "samldb_member_check" synchronous again
2010-05-09 20:26:31 +02:00