1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-12 09:18:10 +03:00
Commit Graph

2397 Commits

Author SHA1 Message Date
Kamen Mazdrashki
7ee34182df s4-dsdb/repl/drepl_out_pull.c: Remove unused code 2010-09-09 18:26:50 +03:00
Kamen Mazdrashki
ef56945d0e s4-drepl_service.c: Update (C)
and remove few trailing white spaces
2010-09-09 18:26:50 +03:00
Kamen Mazdrashki
3fa3bc7eba s4-drepsrv: Dump more info when drepl_replica_sync() fails
There are many spots where this function may fail
and I find it very useful to know where exactly function
fails and what are the input parameters during testing.

REPLICA_SYNC_FAIL() macro now dumps an error message
so we may remove extra DEBUG() dump in implementation.
2010-09-09 18:26:50 +03:00
Andrew Bartlett
b2ea0ca3d6 s4-dsdb Change debug levels for startup messages
We should make the 'common' error not show up, but the unusal case fatal.

Andrew Bartlett
2010-09-09 21:39:25 +10:00
Andrew Tridgell
54e86d881d s4-pydsdb: expose samdb_partitions_dn() as get_partitions_dn() in python
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-09 21:39:24 +10:00
Kamen Mazdrashki
e64e398568 s4-dreplsrv: Run NC replication synchronously if requested 2010-09-07 17:09:35 +03:00
Kamen Mazdrashki
dea5c7b948 s4-idl: redefine dreplsrv_refresh() to be alike other RPC function definitions
Sorry for the 'custom' definition first time
2010-09-05 23:34:28 +03:00
Matthieu Patou
42dfa71ef5 dsdb: make the ATTRIBUTE NOT FOUND more clear 2010-09-05 12:29:20 +04:00
Jelmer Vernooij
72f3727464 dsdb: Add missing dependencies for dsdb ldb modules. 2010-09-04 15:00:33 +02:00
Stefan Metzmacher
ff0362fc35 s4:dsdb/kcc: use irpc_binding_handle_by_name()
metze
2010-09-03 17:00:19 +02:00
Kamen Mazdrashki
65b21c0562 s4-dreplsrv: Refactor drepl_replica_sync() to behave as described in MS-DRSR
see: MS-DRSR - 4.1.23.2

Note: Synchronious replication not implemented yet.
2010-09-03 13:23:48 +03:00
Kamen Mazdrashki
715743b38d s4-dreplsrv: Helpers to locate source DSA in a partition by GUID or DNS name 2010-09-03 13:23:48 +03:00
Kamen Mazdrashki
3691e6c97b s4-dreplsrv: Helper to find NC by DN or GUID or SID 2010-09-03 13:23:48 +03:00
Kamen Mazdrashki
5685fb64e4 s4-dreplsrv: Add caller-specific data parameter for dreplsrv_fsmo_callback_t
It is to be used when we need to preserve a state
to be used in tha callback when dreplsrv_out_operation is completed
2010-09-03 13:23:47 +03:00
Andrew Bartlett
768475d571 s4:dsdb Fix attribute being searched for in dereference against Fedora DS
The problem here is that these attributes are not mapped in the
simple_ldap_map, and they were changed a while back.

Andrew Bartlett
2010-09-02 10:40:34 +10:00
Andrew Bartlett
68c61dfa3f s4:dsdb Make the dereference control critical if input is critical
This helps us ensure that the backend knows about and respects the
dereference control if our caller has asked that the extended DN control
be considered critical.

Andrew Bartlett
2010-09-02 10:40:34 +10:00
Andrew Bartlett
379d073444 s4:dsdb Don't reload the schema against OpenLDAP backend
The schema should be considered read-only when we are using the OL
backend, as we can't update the backend schema in real time anyway.

Andrew Bartlett
2010-09-02 10:40:34 +10:00
Kamen Mazdrashki
b5ed9c2c4d s4-kcc: Notify dreplsrv that Topology has changed 2010-08-28 23:38:59 +03:00
Kamen Mazdrashki
b954834ad1 s4-dreplsrv: Implement irpc stub to be used to force dreplsrv to update internal cache
This IRPC calls is to be used whenever repsFrom/repsTo are
changed by administrative tool or KCC (i.e. Topology changes).

At present, only KCC may change topology.
2010-08-28 23:38:59 +03:00
Kamen Mazdrashki
53551a76c5 s4-dreplsrv: Move partition cache update before scheduling another set of replications 2010-08-28 23:38:59 +03:00
Kamen Mazdrashki
a052497c74 s4-kcc: Assert when unexpected repsFromToBlob version is passed
At present we only support v1 structures (Win2k3 and earlier),
so it is good to make it obvious.
In case we start supporting v2 we will be able to notice this
function should be refactored right away
2010-08-28 23:38:58 +03:00
Nadezhda Ivanova
c679290f6e s4-dsdb: Fixed a compiler warning. 2010-08-27 12:34:27 +03:00
Matthias Dieter Wallnöfer
b11b2425a9 s4:dsdb_module_find_dsheuristics - free the "DN" also on other exit cases 2010-08-26 21:06:06 +02:00
Nadezhda Ivanova
ff2037876f s4-dsdb: Removed an unnecessary space in dsdb_module_find_dsheuristics() 2010-08-26 17:37:49 +03:00
Nadezhda Ivanova
a571487e6c s4-dsdb: Added utility functions for retrieving dSHeuristics from the module stack
Also a function to check dsHeuristics value to determine of anonymous access should be blocked
2010-08-26 17:18:40 +03:00
Andrew Tridgell
cb0f8f0ee0 s4-repl: load RODC partitions using msDS-hasFullReplicaNCs
we mark these as incoming_only

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-25 23:05:05 +10:00
Andrew Tridgell
f42af4ea68 s4-dsdb: make more of the UF_* flags available on pydsdb
this really should be moved to IDL
2010-08-25 08:40:05 +10:00
Andrew Tridgell
4ab1a489c7 s4-dsdb: add more DS flags to the dsdb module
These are from libds/common/flags.h

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-25 08:40:04 +10:00
Andrew Tridgell
8438da96ba s4-dsdb: added get_attid_from_lDAPDisplayName() on samdb
This can be used to form the partial_attribute_set list for
GetNCChanges

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-25 08:40:04 +10:00
Andrew Bartlett
6cf29b3e4f s4:security Change struct security_token->sids from struct dom_sid * to struct dom_sid
This makes the structure much more like NT_USER_TOKEN in the source3/
code.  (The remaining changes are that privilages still need to be merged)

Andrew Bartlett
2010-08-23 08:50:55 +10:00
Andrew Tridgell
0cc3525c03 s4-dsdb: the RODC_JOIN control also changes samAccountName
when adding a user with the RODC_JOIN control, the samAccountName is
automatically set to the krbtgt_NNNNN form

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-20 20:34:12 +10:00
Andrew Tridgell
6eb34e6907 s4-dsdb: fixed dsdb_get_extended_dn_sid()
it should honor the component_name

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-20 20:34:11 +10:00
Andrew Tridgell
c122939919 s4-drs: implement RODC attribute filtering override
When a RODC uses extended getncchanges operation
DRSUAPI_EXOP_REPL_SECRET it gets an override on the ability to
replicate the secret attributes.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-20 20:34:11 +10:00
Kamen Mazdrashki
89899f55dc s4-drs: ATTIDs for deleted attributes should be based on msDs-IntId value if it exists 2010-08-19 03:34:05 +03:00
Kamen Mazdrashki
695072478d s4-dsdb: No need for dsdb_syntax_one_DN_drsuapi_to_ldb() to be public
It is intended to be used in schema_syntax.c module
2010-08-19 03:34:04 +03:00
Kamen Mazdrashki
35d886db17 s4-dsdb-syntax: ATTID should be msDs-IntId value for the attributeSchema object
in case object replicated is not in Schema NC and attributeSchema
object has msDs-IntId attribute value set
2010-08-19 03:34:03 +03:00
Kamen Mazdrashki
fffc98f33e s4: fix few comment typos 2010-08-19 03:34:02 +03:00
Kamen Mazdrashki
d01804dda9 s4-schema_syntax.c: Fix white spaces and alignment 2010-08-19 03:34:02 +03:00
Kamen Mazdrashki
c5ec1f3d92 s4-dsdb: Use dsdb_syntax_ctx in *_drsuapi_to_ldb functions 2010-08-19 03:34:02 +03:00
Kamen Mazdrashki
b5af7b9a1e s4-dsdb: Use dsdb_syntax_ctx in *_ldb_to_drsuapi functions 2010-08-19 03:34:01 +03:00
Kamen Mazdrashki
ca80918613 s4-dsdb: Use dsdb_syntax_ctx in *_validate_ldb functions 2010-08-19 03:34:01 +03:00
Kamen Mazdrashki
b7d1586ccd s4-dsdb: Add context structure for dsdb_syntax conversion functions
This structure is intended to hold context-dependent data.

Syntax-conversion and object-conversion functions need
that data to convert objects and attributes from drs-to-ldb
and ldb-to-drs correctly.

For instance: ATTID value depends on whether we are converting
object from partition different that Schema partition.
2010-08-19 03:34:01 +03:00
Andrew Bartlett
23dc2e4244 s4:auth Change {anonymous,system}_session to use common session_info generation
This also changes the primary group for anonymous to be the anonymous
SID, and adds code to detect and ignore this when constructing the token.

Andrew Bartlett
2010-08-18 09:50:45 +10:00
Andrew Bartlett
ba52834dd9 s4:auth Remove system_session_anon() from python bindings 2010-08-18 09:50:44 +10:00
Andrew Bartlett
7c6ca95bec s4:security Remove use of user_sid and group_sid from struct security_token
This makes the structure more like Samba3's NT_USER_TOKEN
2010-08-18 09:50:38 +10:00
Matthias Dieter Wallnöfer
eb345ebedf s4:samdb_set_password/samdb_set_password_sid - make more arguments "const" 2010-08-17 18:45:33 +02:00
Matthias Dieter Wallnöfer
d72d7f9c5f s4:samdb_set_password/samdb_set_password_sid - make the adaptions to support the password change control
And introduce parameters to pass the old password hashes.
2010-08-17 18:45:33 +02:00
Matthias Dieter Wallnöfer
35954bb310 s4:password_hash LDB module - perform the adaptions to understand the new password change control 2010-08-17 18:45:33 +02:00
Matthias Dieter Wallnöfer
23bd3a7417 s4:acl LDB module - support password changes over the DSDB_CONTROL_PASSWORD_CHANGE_OID control
This control is used from the SAMR and "kpasswd" password changes. It is
strictly private and means "this is a password change and not a password set".
2010-08-17 18:45:33 +02:00
Matthias Dieter Wallnöfer
895a9fbbfb s4:DSDB - DSDB_CONTROL_PASSWORD_CHANGE_OID - add a structure as value to the control
This contains the NT and/or LM hash of the password specified by the user.
2010-08-17 18:45:32 +02:00
Matthias Dieter Wallnöfer
bbb9dc806e s4:DSDB - rename the "DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID"
Rename it to "DSDB_CONTROL_PASSWORD_CHANGE_OID". This control will afterwards
contain a record with the specified old password as NT and/or LM hash.
2010-08-17 18:45:32 +02:00
Nadezhda Ivanova
38e41728c5 s4-tests: Added tests for acl checks on search requests 2010-08-17 17:05:42 +03:00
Andrew Tridgell
896f10301c s4-dsdb: check the type of session_info from the opaque
we saw a crash with a bad pointer here, and this may help track it
down

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17 21:21:51 +10:00
Andrew Tridgell
4e9daa0f03 s4-dsdb: added support for UF_PARTIAL_SECRETS_ACCOUNT
when this is in user_account_control the account is a RODC, and we
need to set the primaryGroupID to be DOMAIN_RID_READONLY_DCS

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17 21:21:50 +10:00
Andrew Tridgell
df14f645b3 s4-dsdb: cope with cracknames of form dnsdomain\account
this is used by w2k8r2 when doing a RODC dcpromo

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17 21:21:50 +10:00
Andrew Tridgell
f6e0b151a3 s4-dsdb: set LDB_FLAG_INTERNAL_DISABLE_VALIDATION for msDS-SecondaryKrbTgtNumber
msDS-SecondaryKrbTgtNumber is setup with a value that is outside the
range allowed by the schema (the schema has
rangeLower==rangeUpper==65536). We need to mark this element as being
internally generated to avoid the range checks

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17 21:21:50 +10:00
Andrew Tridgell
0caf347098 s4-ldb: added LDB_FLAG_INTERNAL_DISABLE_VALIDATION
When this flag is set on an element in an add/modify request then the
normal validate_ldb() call that checks the element against schema
constraints is disabled

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17 21:21:50 +10:00
Andrew Tridgell
6baa834ebe s4-ldb: use LDB_FLAG_MOD_TYPE() to extract element type from messages
The flags field of message elements is part of a set of flags. We had
LDB_FLAG_MOD_MASK for extracting the type, but it was only rarely
being used (only 1 call used it correctly). This adds
LDB_FLAG_MOD_MASK() to make it more obvious what is going on.

This will allow us to use some of the other flags bits for internal
markers on elements

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17 21:21:50 +10:00
Andrew Tridgell
527042f78b s4-dsdb: support LDB_CONTROL_RODC_DCPROMO_OID for nTDSDSA add
this control disables the system only check for nTDSDSA add operations

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17 21:21:50 +10:00
Andrew Tridgell
974279b67d s4-dsdb: fixed test for LDB_CONTROL_RODC_DCPROMO_OID
the ldb_msg_add_fmt() call returns LDB_SUCCESS on success
2010-08-17 21:21:50 +10:00
Andrew Tridgell
191d632e23 s4-dsdb: added support for LDB_CONTROL_RODC_DCPROMO_OID
this control adds a unique msDS-SecondaryKrbTgtNumber attribute to a
user object.

There is some 'interesting' interaction with the rangeLower and
rangeUpper attributes and this add. We don't implementat
rangeLower/rangeUpper yet, but when we do we'll need an override for
this control (or be careful about module ordering).

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17 21:21:49 +10:00
Matthias Dieter Wallnöfer
dadcc84009 s4:samdb_set_password_sid - fix comment
Add more possible result NTSTATUS codes
2010-08-16 18:45:26 +02:00
Matthias Dieter Wallnöfer
1fc3676974 s4:samdb_set_password - fix formatting
(Sorry, I've overseen this)
2010-08-15 19:45:29 +02:00
Matthias Dieter Wallnöfer
af3c6a4242 s4:passwords.py - proof the most important extended error codes 2010-08-15 19:42:40 +02:00
Matthias Dieter Wallnöfer
3fcd76237d s4:samdb_set_password - implement the extended LDAP error code detection 2010-08-15 19:42:40 +02:00
Matthias Dieter Wallnöfer
2dbff00b6d s4:password_hash LDB module - introduce the extended LDAP error codes on the important failure cases 2010-08-15 19:42:40 +02:00
Matthias Dieter Wallnöfer
33bb063b05 s4:password_hash LDB module - support this new password set syntax 2010-08-15 19:42:40 +02:00
Matthias Dieter Wallnöfer
6dc0c07a51 s4:passwords.py - another special password test
This looks like a password change but it's rather a password set operation.
2010-08-15 19:42:39 +02:00
Matthias Dieter Wallnöfer
28cfae774e s4:password_hash LDB module - allow to compare against both NT and LM hashes on password change operations
This is to match the SAMR password change behaviour.
2010-08-15 19:42:39 +02:00
Matthias Dieter Wallnöfer
fb274f056b s4:subtree_rename.c - relax the checks when requested
(Needed by upgradeprovision for example)
2010-08-15 09:24:22 +02:00
Matthias Dieter Wallnöfer
07af3f289e s4:samdb_set_password - return "NT_STATUS_WRONG_PASSWORD" when a user account doesn't exist
This is for the (SAMR) account detection protection mechanism.
2010-08-14 18:48:20 +02:00
Matthias Dieter Wallnöfer
1fa9e99442 s4:password_hash LDB module - improve an error message 2010-08-14 18:48:20 +02:00
Matthias Dieter Wallnöfer
4b569d74a4 s4:password_hash LDB module - implement the SAMR behaviour when checking old passwords
Sooner or later this module should take over all password change actions.
2010-08-14 18:48:20 +02:00
Matthias Dieter Wallnöfer
e335b24ad0 s4:password_hash LDB module - fix wrong error codes
To match the passwords.py test
2010-08-14 18:48:19 +02:00
Matthias Dieter Wallnöfer
a9b055291c s4:passwords.py - test the error code when there doesn't exist any password yet
After the creation of a user object we don't have any password yet.
2010-08-14 18:48:19 +02:00
Matthias Dieter Wallnöfer
c335c5f54a s4:passwords.py - perform testing of wrong old passwords on change operations 2010-08-14 18:48:19 +02:00
Kamen Mazdrashki
d595f070f6 s4-dsdb: fix attributes_by_msDS_IntId index sorting 2010-08-11 00:18:14 +03:00
Matthias Dieter Wallnöfer
067b5721c7 s4:objectclass LDB module - weak the check for the "rIDSet" delete constraint
Perform it only when a "rIDSet" does exist. Requested by ekacnet for
"upgradeprovision".
2010-08-10 21:01:11 +02:00
Matthias Dieter Wallnöfer
303089f5b8 s4:dsdb/common/util.c - provide a call which returns the forest function level
Sooner or later we'll need this too since not all operations depend only on the
current's domain function level (see the MS-ADTS docs).
2010-08-10 19:08:56 +02:00
Matthias Dieter Wallnöfer
e53fc1228f s4:dsdb/common/util.c - use LDB constants whenever possible 2010-08-10 19:08:56 +02:00
Matthias Dieter Wallnöfer
390bfed7b7 s4:kcc_connection.c - fix typo in error message 2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
bc702a394d s4:ldap.py - comment a test part which fails with another error code on Windows 2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
8243272fa0 s4:ldap.py - test the new "systemFlags" constraint 2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
f99d672b13 s4:objectclass LDB module - "add operation" - enhance and clean the "systemFlags" section
Also here we have to test for single-valueness.
2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
e009d02bd5 s4:ldap.py - test for an invalid "objectCategory" attribute 2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
6e6af9c14c s4:objectclass LDB module - "add operation" - implement "objectCategory" validation 2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
299b59b7c3 s4:ldap.py - proof for the impossibility to add a LSA-specific object over LDAP 2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
89c71a8f06 s4:urgent_replication.py - relax also here the add of a secrets object 2010-08-07 14:22:42 +02:00
Matthias Dieter Wallnöfer
25e973d5db s4:dsdb/common/util.c - add a function "dsdb_add" 2010-08-07 14:22:41 +02:00
Matthias Dieter Wallnöfer
7d62128e2c s4:objectclass LDB module - "add operation" - reject creation of LSA specific objects
(only using the RELAX flag allowed)
2010-08-07 14:22:41 +02:00
Matthias Dieter Wallnöfer
a3c6d4c4d5 s4:objectclass LDB module - "add operation" - move two checks
To be more consistent with the MS-ADTS doc.
2010-08-07 14:22:41 +02:00
Matthias Dieter Wallnöfer
ace6f52d57 s4:objectclass LDB module - "add operation" - deny multiple "objectclass" message elements
Requested by MS-ADTS 3.1.1.5.2.2
2010-08-07 14:22:41 +02:00
Matthias Dieter Wallnöfer
9f0cbe1558 s4:objectclass LDB module - "add" operation - free "mem_ctx" as soon as possible
We don't need to have it around until the end of the function.
2010-08-07 14:22:41 +02:00
Matthias Dieter Wallnöfer
dbdef72953 s4:LDB modules - remove the "kludge_acl" module code
Obviously this has been forgotten by Nadya.
2010-08-04 19:47:41 +02:00
Nadezhda Ivanova
d50a9e8d9e s4-dsdb: Removed kludge_acl as it is no longer necessary
Moved the access check on extended operations to acl module and removed kludge_acl
2010-08-04 15:22:17 +03:00
Kamen Mazdrashki
f827904596 s4-schema: More verbose error log when subClassOf is not found in schema
Error message show failing classSchema object
but not the specific value for the failure,
which makes diagnostics by log files really hard.
2010-08-03 04:29:23 +03:00
Kamen Mazdrashki
a268e0846f s4: fix comment typos 2010-08-03 04:29:22 +03:00
Matthias Dieter Wallnöfer
e4b32cb0d4 s4:ldap.py - remove superflous spaces
Sorry, forgot to delete them in the last commit
2010-08-01 22:12:04 +02:00
Matthias Dieter Wallnöfer
e92f447823 s4:ldap.py - additional "instanceType" checks 2010-08-01 21:30:30 +02:00
Matthias Dieter Wallnöfer
c38219adfc s4:instancetype LDB module - add checks requested by MS-ADTS 3.1.1.5.2.2
We've to test for the WRITE flag if we are performing an NC add. And if it
isn't an NC add then only the WRITE or no flag is allowed.
2010-08-01 21:30:29 +02:00
Matthias Dieter Wallnöfer
ba4578f98b s4:objectclass LDB module - consider the "instanceType" when adding NCs
This is requested by MS-ADTS 3.1.1.5.2.2 (NC add operation).
2010-08-01 21:30:29 +02:00
Matthias Dieter Wallnöfer
89c7859006 s4:descriptor LDB module - remove the "forest DN" check
Also here we have to work with the default base DN.

After some reading I've discovered that this isn't really true. The forest
partition does exist on one or more DCs and is there the same as the default
base DN (which is already checked by the module).
And if we have other DCs which contain child domains then they never contain
data of the forest domain beside the schema and the configuration partition
(which are checked anyway) since a DC can always contain only one domain!

Link: http://www.informit.com/articles/article.aspx?p=26896&seqNum=5
2010-08-01 21:30:28 +02:00
Matthias Dieter Wallnöfer
f824e459f0 s4:acl LDB module - remove the "forest DN" check
After some reading I've discovered that this isn't really true. The forest
partition does exist on one or more DCs and is there the same as the default
base DN (which is already checked by the module).
And if we have other DCs which contain child domains then they never contain
data of the forest domain beside the schema and the configuration partition
(which are checked anyway) since a DC can always contain only one domain!

Link: http://www.informit.com/articles/article.aspx?p=26896&seqNum=5
2010-08-01 21:30:28 +02:00
Matthias Dieter Wallnöfer
149f4251c5 s4:acl LDB module - remove unused call "is_root_base_dn" 2010-08-01 21:30:27 +02:00
Matthias Dieter Wallnöfer
3f2a8d5081 s4:urgent_replication.py test - adapt the test for the harder delete restrictions
Otherwise we are not able to delete the "test crossRef" object which points
to the default NC anymore.
2010-08-01 18:50:57 +02:00
Matthias Dieter Wallnöfer
ea5c40428f s4:ldap.py - perform tests on the additional delete constraint checks 2010-08-01 18:50:57 +02:00
Matthias Dieter Wallnöfer
316eda1206 s4:objectclass LDB module - implement additional delete constraint checks
MS-ADTS 3.1.1.5.5.3
2010-08-01 18:50:57 +02:00
Matthias Dieter Wallnöfer
542396ccd9 s4:ldap.py - add a test for "CN=System" object rename behaviour 2010-08-01 14:00:10 +02:00
Matthias Dieter Wallnöfer
7ea1796fa4 s4:subtree_rename LDB module - rename "check_system_flags" into "check_constraints" and perform more checks
Always considering MS-ADTS 3.1.1.5.4.1.2.
2010-08-01 14:00:10 +02:00
Matthias Dieter Wallnöfer
2e66033ab9 s4:subtree_rename LDB module - introduce out of memory checks 2010-08-01 14:00:10 +02:00
Matthias Dieter Wallnöfer
f997fd299d s4:dsdb/samdb/ldb_modules/util.c - remove unused variables 2010-08-01 11:33:37 +02:00
Matthias Dieter Wallnöfer
81cc92c5af s4:ldap.py - performs some "systemFlags" testing 2010-08-01 09:36:01 +02:00
Matthias Dieter Wallnöfer
3cdc83d4f9 s4:subtree_rename LDB module - introduce the "systemFlags" protection rules
This is done in a dedicated call "check_system_flags".
2010-08-01 09:35:54 +02:00
Matthias Dieter Wallnöfer
3244f6feaa s4:dsdb/pydsdb.c - import "systemFlags" into Python
Needed by ldap.py tests
2010-07-31 21:43:11 +02:00
Matthias Dieter Wallnöfer
4e3afb36da s4:subtree_rename LDB module - "subren_ctx_init" - fix the "out of memory" return 2010-07-31 21:33:33 +02:00
Kamen Mazdrashki
86cc914717 s4-dsdb: use ldb_msg_normalize() in source4/dsdb/schema/schema_set.c
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-19 17:33:34 +10:00
Kamen Mazdrashki
fb1c0796c7 s4-dsdb/schema/schema_set.c: fix trailing spaces and comments spelling
Few comments split on several lines also...

(Sorry Metze, I know you hate reviewing "and this, and that"
type of patches, but those are just cosmetics)

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-19 17:33:33 +10:00
Kamen Mazdrashki
a11d3b4dfb s4-dsdb: use ldb_msg_difference() in source4/dsdb/schema/schema_set.c
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-19 17:33:33 +10:00
Andrew Tridgell
6b266b85cf s4-loadparm: 2nd half of lp_ to lpcfg_ conversion
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-16 18:24:27 +10:00
Matthieu Patou
a748402f61 s4 ldb modules: relax some tests about attributes that should not be here
For attributes that we know that are harmless and that used to be stored
in the ldb we relax the tests on the existance in a given objectclass.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-15 22:08:21 +10:00
Matthieu Patou
6a0856da9c s4 dsdb: Use the changereplmetadata control
This control allow to specify the replPropertyMetaData attribute to
be specified on modify request. It can be used for very specific needs
to tweak the content of the replication data.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-15 22:08:20 +10:00
Matthieu Patou
d861ebbd81 s4 dsdb: create a new control: changereplmetadata
This control is designed to allow replmetadata to be specified

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-15 22:08:20 +10:00
Nadezhda Ivanova
d35e9008a7 s4: Added acl search tests for anonymous connection.
The tests make sure that we comply with dsHeuristics setting and
restrict anonymous access to rootDSE. They will be enabled when the
implementation is pushed. tests are verified against win2k8.
2010-07-14 14:44:46 +03:00
Nadezhda Ivanova
0b2d965e4b s4: Reorganized dsHeuristics reset so the code can be reused
Moved the setting of dsHeuristics to a method as soon we will have to set other
values as well in different tests
2010-07-13 17:15:54 +03:00
Stefan Metzmacher
1caa8b06f7 s4:drepl_notify: hide some bugs from the make test output
It's useless to get messages like this every few seconds:

dreplsrv_notify: Failed to send DsReplicaSync to
edbf4745-2966-49a7-8653-99200f1c9430._msdcs.samba2003.example.com for
CN=Configuration,DC=samba2003,DC=example,DC=com -
NT_STATUS_OBJECT_NAME_NOT_FOUND : WERR_BADFILE

We have a non bug regarding non-linked DN attributes
and changes of the target DN.

metze
2010-07-09 16:43:17 +02:00
Stefan Metzmacher
538bb9b3ec s4:dsdb/repl: expose drsuapi_DsExtendedError to the caller (e.g. the ridalloc client)
metze
2010-07-09 09:27:16 +02:00
Stefan Metzmacher
49deed5a77 s4:drepl_out_helpers: don't return NT_STATUS_OK, if an extended operation doesn't return success
metze
2010-07-09 09:27:16 +02:00
Stefan Metzmacher
658a0f9ef8 s4:drepl_ridalloc: only ask the rid master for a new rid pool if we need to.
if we are at least half-exhausted then ask for a new pool.

This fixes a bug where we're sending unintialized alloc_pool
variable as exop->fsmo_info to the rid master and get back
DRSUAPI_EXOP_ERR_PARAM_ERROR.

metze
2010-07-09 09:27:15 +02:00
Stefan Metzmacher
afba6204a3 s4:dsdb:ridalloc: use ridalloc_ridset_values infrastructure in ridalloc_allocate_rid_pool_fsmo()
metze
2010-07-09 09:27:15 +02:00
Stefan Metzmacher
cd8d8dfe14 s4:dsdb:ridalloc: use ridalloc_ridset_values infrastructure in ridalloc_allocate_rid()
metze
2010-07-09 09:27:14 +02:00
Stefan Metzmacher
3b8c9276dc s4:dsdb:ridalloc: use ridalloc_ridset_values infrastructure in ridalloc_create_rid_set_ntds()
metze
2010-07-09 09:27:14 +02:00
Stefan Metzmacher
12d26d59bd s4:dsdb:ridalloc: add ridalloc_ridset_values infrastructure
metze
2010-07-09 09:27:13 +02:00
Stefan Metzmacher
bbed1fdfcd s4:dsdb:ridalloc: use dsdb_module_constrainted_update_uint64() to update rIDAvailablePool
metze
2010-07-09 09:27:13 +02:00
Stefan Metzmacher
ad17333114 s4:dsdb:ridalloc.c: fix C++ warning
metze
2010-07-09 09:27:12 +02:00
Stefan Metzmacher
217177a4df s4:dsdb: add dsdb_module_constrainted_update_uint32/64() wrapper functions
metze
2010-07-09 09:27:12 +02:00
Stefan Metzmacher
65ca5a3542 s4:dsdb: add dsdb_msg_constrainted_update_uint32/64() wrapper functions
metze
2010-07-09 09:27:11 +02:00
Stefan Metzmacher
1d6f321a91 s4:dsdb: add dsdb_module_constrainted_update_int32/64() functions
metze
2010-07-09 09:27:11 +02:00
Stefan Metzmacher
388e955f28 s4:dsdb: add dsdb_msg_constrainted_update_int32/64() functions
metze
2010-07-09 09:27:11 +02:00
Matthias Dieter Wallnöfer
6b7e436871 s4:acl LDB module - password attributes - check also the "dBCSPwd" attribute
It's also a possible password change/set attribute candidate.
2010-07-08 21:52:15 +02:00
Matthias Dieter Wallnöfer
921308f1e8 s4:acl LDB module - move a "mem_ctx" creation to the place where it is actually checked
Memory allocations and their result checks should be as tight as possible.
2010-07-08 19:28:44 +02:00
Nadezhda Ivanova
10c60f2372 Added a test to prove by default users can change each other's pass if the old is known 2010-07-08 15:38:16 +03:00
Kamen Mazdrashki
609b865691 s4-dsdb/util: Reorder DSDB_FLAG_* checks
On good thing about having more clear function interfaces
(and forcing callers to specify clearly what they want)
is that now I can execute following search:
git grep DSDB_FLAG_NEXT_MODULE | wc -l

This showed that DSDB_FLAG_NEXT_MODULE flag is about 6 times
more frequently used than DSDB_FLAG_OWN_MODULE.
So this should reduce branch prediction by six times
in this part of the code, right :)
2010-07-08 02:38:36 +03:00
Kamen Mazdrashki
0c4bbb7106 s4-dsdb: Implement module switching in dsdb_module_search_dn()
This allows caller to choose from where to start DN search
2010-07-08 02:38:36 +03:00
Kamen Mazdrashki
62a0f11dcb s4-source4/dsdb/samdb/ldb_modules/acl.c Use DSDB_FLAG_NEXT_MODULE flag 2010-07-08 02:38:35 +03:00
Kamen Mazdrashki
02f0c6d1eb s4-source4/dsdb/samdb/ldb_modules/linked_attributes.c Use DSDB_FLAG_NEXT_MODULE flag 2010-07-08 02:38:35 +03:00
Kamen Mazdrashki
0d2116a423 s4-source4/dsdb/samdb/ldb_modules/naming_fsmo.c Use DSDB_FLAG_NEXT_MODULE flag 2010-07-08 02:38:35 +03:00
Kamen Mazdrashki
b18ab82604 s4-source4/dsdb/samdb/ldb_modules/operational.c Use DSDB_FLAG_NEXT_MODULE flag 2010-07-08 02:38:34 +03:00
Kamen Mazdrashki
7694b1964f s4-source4/dsdb/samdb/ldb_modules/partition_init.c Use DSDB_FLAG_NEXT_MODULE flag 2010-07-08 02:38:34 +03:00
Kamen Mazdrashki
b62715964a s4-source4/dsdb/samdb/ldb_modules/pdc_fsmo.c Use DSDB_FLAG_NEXT_MODULE flag 2010-07-08 02:38:33 +03:00
Kamen Mazdrashki
2ee14378c3 s4-source4/dsdb/samdb/ldb_modules/repl_meta_data.c Use DSDB_FLAG_NEXT_MODULE flag 2010-07-08 02:38:33 +03:00
Kamen Mazdrashki
d7bcac5a9f s4-source4/dsdb/samdb/ldb_modules/ridalloc.c Use DSDB_FLAG_NEXT_MODULE flag 2010-07-08 02:38:33 +03:00
Kamen Mazdrashki
dc720739ab s4-source4/dsdb/samdb/ldb_modules/samba_dsdb.c Use DSDB_FLAG_NEXT_MODULE flag 2010-07-08 02:38:32 +03:00
Kamen Mazdrashki
8c7a6a8dc7 s4-source4/dsdb/samdb/ldb_modules/schema_load.c Use DSDB_FLAG_NEXT_MODULE flag 2010-07-08 02:38:32 +03:00
Kamen Mazdrashki
64c31b7e0a s4-source4/dsdb/samdb/ldb_modules/util.c Use DSDB_FLAG_NEXT_MODULE flag 2010-07-08 02:38:32 +03:00
Andrew Tridgell
87df785a68 s4-dsdb: use ldb_operr() in the dsdb code
this replaces "return LDB_ERR_OPERATIONS_ERROR" with "return ldb_operr(ldb)"
in places in the dsdb code where we don't already explicitly set an
error string. This should make is much easier to track down dsdb
module bugs that result in an operations error.
2010-07-07 20:14:55 +10:00
Matthias Dieter Wallnöfer
502bddf767 s4:new_partition LDB module - fix an uninitalised variable warning
> [ 651/1946] Compiling dsdb/samdb/ldb_modules/new_partition.c
> ../dsdb/samdb/ldb_modules/new_partition.c: In function 'new_partition_add':
> ../dsdb/samdb/ldb_modules/new_partition.c:195: warning: 'down_req' may be used uninitialized in this function
The "down_req" variable isn't used anymore.
2010-07-06 21:54:21 +02:00
Matthias Dieter Wallnöfer
9c8135785a s4:dsdb - samdb_result_force_password_change - also when "pwdLastSet" is "-1" we shouldn't force a password change
This value is set by the ADUC console.
2010-07-06 21:54:20 +02:00
Stefan Metzmacher
a236bc4b33 s4:dsdb/password_hash: implement DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID
metze
2010-07-05 18:00:15 +02:00
Stefan Metzmacher
6d7b9648e5 s4:dsdb: allocate DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID
When importing users from Samba3 we need to control all values.

metze
2010-07-05 18:00:14 +02:00
Stefan Metzmacher
24d6950f63 s4:dsdb/password_hash: fix some c++ compiler warnings
metze
2010-07-05 18:00:14 +02:00
Nadezhda Ivanova
d300085868 Changed passwords.py to use the correct account as acl checks now pass. 2010-07-05 00:20:37 +03:00
Nadezhda Ivanova
81240b13b3 s4-dsdb: Implementation of User-Change-Password and User-Force-Password-Change
These CARs need to be checked on password change and password reset operations.
    Apparently the password attributes are not influenced by Write Property.
    Single detele operations and modifications of dBCSPwd are let through to the
    password_hash module. This is determined experimentally.
2010-07-05 00:17:38 +03:00
Matthias Dieter Wallnöfer
343e9320ba s4:subtree_rename LDB module - Cosmetic fixes 2010-07-04 22:05:18 +02:00
Matthias Dieter Wallnöfer
7d483cdc04 s4:subtree_delete LDB module - fix comments and add my copyright
(I've introduced the subtree delete mechanism)
2010-07-04 22:05:17 +02:00
Matthias Dieter Wallnöfer
f41d9eb8dc s4:dsdb/tests/python/ldap_schema.py - remove a now useless "schemaUpdateNow" request
"schemaUpdateNow" on s4 is now a non-op and therefore not strictly needed anymore.
2010-07-03 15:37:45 +02:00
Matthias Dieter Wallnöfer
465c601071 s4:urgent_replication.py test - remove unneeded "relax" control parameters 2010-07-03 15:30:20 +02:00
Matthias Dieter Wallnöfer
326aac06f5 s4:schema_load LDB module - fix a segfault condition on schema refresh
The schema refresh operation itself starts requests from the top of the LDB
modules stack (see call "dsdb_schema_set_attributes" - search operations).
This doesn't work well when these do perform "dsdb_get_schema" calls. Since the
new schema isn't marked as "refreshed" atm (but in fact it still is - we didn't
terminate the reload/refresh yet) we could perform other calls to
"dsdb_schema_refresh" and run into serious trouble (segfault).
2010-07-03 15:28:57 +02:00
Matthias Dieter Wallnöfer
02eab66026 s4:schema_set.c - Fix a comment 2010-07-03 14:53:03 +02:00
Matthias Dieter Wallnöfer
d1ee7ab16e s4:dsdb_schema_set_attributes - remove unneeded filter criterias
We already choose the right entry by specifying the right basedn with scope
"LDB_SCOPE_BASE".
2010-07-03 14:53:02 +02:00
Matthias Dieter Wallnöfer
368aa25f7c s4:dsdb_module_load_partition_usn - check for "res->count" equal/unequal to 1 2010-07-03 12:47:46 +02:00
Matthias Dieter Wallnöfer
4df9757b48 s4:schema_set.c - fix typo 2010-07-03 12:36:34 +02:00
Matthias Dieter Wallnöfer
de81160e75 s4:schema_load.c - jump to "failed" on an error condition 2010-07-03 12:35:16 +02:00
Matthias Dieter Wallnöfer
ec9fa906c7 s4:dsdb/tests/passwords.py - set and reset the "minPwdAge" properly
After a patch proposal of Nadya and some reflection I think that it's really
worth to change all tests which need a "0" "minPwdAge" to set it manually and
reset the default afterwards.

So we can finally introduce the default "minPwdAge" on provision.

Patch proposal by: Nadya Ivanova
2010-07-03 11:28:21 +02:00
Nadezhda Ivanova
86cde0a7dc Tests for user-change-password and force-password-change access rights 2010-07-02 16:38:05 +03:00
Anatoliy Atanasov
62341537d7 s4/schema: remove unnecessary deletion of dsdb_schema cached pointer
This is needed so we can find and free old schemas based using
the cached pointer
2010-07-02 11:55:33 +03:00
Andrew Tridgell
2671b5aeb0 s4-dsdb: fixed spelling of supportedSASLMechanisms
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-07-02 12:49:04 +10:00
Andrew Bartlett
c48279896d s4:dsdb Ensure we free old schema copies
It was reported by aatanasov that we kept around one whole schema per
modification made.  This does not fix that, but I hope moves us closer
to a fix

The most important part of the fix is that:

-		if (schema_out != schema_in) {
-			talloc_unlink(schema_in, ldb);
-		}

was the wrong way around.  This is now handled in the schema_set calls.

Andrew Bartlett
2010-07-02 10:08:16 +10:00
Kamen Mazdrashki
5a66edc99e s4/dsdb: Assert DSDB_FLAG_*_MODULE is always passed in function call
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:08:12 +10:00
Kamen Mazdrashki
73474998e1 s4-source4/dsdb/samdb/ldb_modules/util.c Use DSDB_FLAG_NEXT_MODULE flag
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:08:07 +10:00
Kamen Mazdrashki
682f7a5338 s4-source4/dsdb/samdb/ldb_modules/subtree_delete.c: Use DSDB_FLAG_NEXT_MODULE flag
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:08:02 +10:00
Kamen Mazdrashki
bf373d5c29 s4-source4/dsdb/samdb/ldb_modules/schema_load.c: Use DSDB_FLAG_NEXT_MODULE flag
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:07:57 +10:00
Kamen Mazdrashki
7c653c429a s4-source4/dsdb/samdb/ldb_modules/samldb.c: Use DSDB_FLAG_NEXT_MODULE flag
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:07:53 +10:00
Kamen Mazdrashki
0e023f2340 s4-source4/dsdb/samdb/ldb_modules/samba3sid.c: Use DSDB_FLAG_NEXT_MODULE flag
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:07:48 +10:00
Kamen Mazdrashki
30a69eb4a0 s4-source4/dsdb/samdb/ldb_modules/rootdse.c: Use DSDB_FLAG_NEXT_MODULE flag
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:07:43 +10:00
Kamen Mazdrashki
68c6e607d9 s4-source4/dsdb/samdb/ldb_modules/ridalloc.c: Use DSDB_FLAG_NEXT_MODULE flag
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:07:39 +10:00
Kamen Mazdrashki
f3f87e8dee s4-source4/dsdb/samdb/ldb_modules/repl_meta_data.c: Use DSDB_FLAG_NEXT_MODULE flag
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:07:34 +10:00
Kamen Mazdrashki
b29921b82e s4-dsdb/samdb/ldb_modules/linked_attributes.c: make use of DSDB_FLAG_NEXT_MODULE flag
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:07:27 +10:00
Kamen Mazdrashki
f570eec264 s4/dsdb: Add DSDB_FLAG_NEXT_MODULE flag
Although it is not currently used in implementation,
my intention is for callers to clearly state what
action they want to execute.

Currently when a caller wants to pass the call to the next
module in the chain, this flag is either omitted or 0 is used
(which is somewhat hacky, isn't it)

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-02 10:07:09 +10:00
Matthias Dieter Wallnöfer
c2e2f783d0 s4:dsdb/tests/python/passwords.py - add the right result codes for user password changes
They will be enabled once the ACL modules supports it. It was my fault to not
import them earlier.
2010-07-01 17:23:01 +02:00
Stefan Metzmacher
14f8953aa4 s4:dsdb: move dsdb python tests from lib/ldb/ to dsdb/
metze
2010-06-30 11:10:28 +02:00
Anatoliy Atanasov
6abfe8904a s4:schema/schema_set.c - free LDB message diffs
Especially the "free"s after "ldb_msg_diff" are very important since the diff
message is allocated on the long-living LDB context.

Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
2010-06-30 09:17:44 +02:00
Andrew Bartlett
32b8b401d6 s4:dsdb Fix possible schema segfaults for DRS-replication based schema
The problem here is that if the schema has been modified on the source
domain, there may be attributes that appear over DRS with 0 values (to
indicate that any existing values on the target should be deleted).
This would confuse the previous version of this macro.

Andrew Bartlett
2010-06-30 10:22:59 +10:00
Matthias Dieter Wallnöfer
4f029f6f1b s4:dsdb/new_partition.c - remove the "ldb_next_request" call which we find also below the "if" block 2010-06-29 22:23:15 +02:00
Matthias Dieter Wallnöfer
0e21b4ffa0 Revert "s4/dsdb: Fixed partition_search() not to pass special DN's to LDAP backend."
This reverts commit ed4c107bc1.

See post "Endi's Bug 7530 patches (LDAP backend)" on samba-technical.
2010-06-29 15:14:32 +02:00
Nadezhda Ivanova
845e7a609d Fixed incorrect use of cn instead of lDAPDisplayName 2010-06-29 11:46:22 +03:00
Andrew Bartlett
94637e5fe4 s4:provision Add an msDS-SupportedEncryptionTypes entry to our DC
This ensures that our DC will use all the available encyption types.

(The KDC reads this entry to determine what the server supports)

Andrew Bartlett
2010-06-29 16:59:22 +10:00
Kamen Mazdrashki
1e8876a4f1 s4/repl_meta_data: remove duplicated (and commented out) log 2010-06-29 00:35:23 +03:00
Endi S. Dewata
ed4c107bc1 s4/dsdb: Fixed partition_search() not to pass special DN's to LDAP backend.
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
2010-06-28 19:33:45 +02:00
Matthias Dieter Wallnöfer
4fc51ad07a s4:repl_meta_data LDB module - fix counter type 2010-06-28 14:51:09 +02:00
Matthias Dieter Wallnöfer
fc2d8fcb83 s4:acl LDB module - fix counter type 2010-06-28 14:51:09 +02:00
Nadezhda Ivanova
5a18fc2b2a Implementation of self membership validated right.
When this right is granted, the user can add or remove themselves from a group even
if they dont have write property right.
2010-06-28 10:43:50 +03:00
Kamen Mazdrashki
431386f327 s4/drs: re-implement 'renaming' object replication
We should rename objects only after we make sure, that
changes on the partner DC are newer than what we have.
This fixes a bug, when we have following situation with 2 DCs:
- we have an object O on the two DCs
- we rename (delete) object O on DC1
- DC1 replicates from DC2
In the above scenario, object O will be renamed back
to its original name (i.e. it will be restored).

Now, we check that DC2 state is older than what we have,
so nothing happens with object's DN.
2010-06-28 04:43:29 +03:00
Stefan Metzmacher
7905901bc0 s4:dsdb/ridalloc: add comment about windows behavior regarding rIDUsedPool
metze
2010-06-26 09:50:55 +02:00
Kamen Mazdrashki
163ed44903 s4/drs: DsReplicaSync should search partition to Sync
by any valid DSName attribute given, be it - partition DN,
partition GUID or partition SID
2010-06-25 04:51:59 +03:00
Andrew Tridgell
4cb423f527 s4-python: python is not always in /usr/bin
Using "#!/usr/bin/env python" is more portable. It still isn't ideal
though, as we should really use the python path found at configure
time. We do that in many places already, but some don't.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-24 18:46:57 +10:00
Andrew Bartlett
c4482bf53e libds:common Remove DS_DC_* domain functionality flags
These are just a subset of the DS_DOMAIN_ functionality flags, are compared and often confused with each other.  Just make them one set.

Andrew Bartlett
2010-06-23 20:10:03 +10:00
Matthias Dieter Wallnöfer
26a95463a6 s4:operational LDB module - fix a misleading comment 2010-06-23 09:53:23 +02:00
Matthias Dieter Wallnöfer
0e637be43b s4:password_hash LDB module - fix another problem regarding the lanman hash
When a user only provides only the lanman hash (and nothing else) and the
lanman authentication is deactivated then we end in an account with no
password attribute at all! Lock this down.
2010-06-22 22:21:04 +02:00
Matthias Dieter Wallnöfer
c38f94ed9b s4:dsdb_load_partition_usn - free the right memory context (tmp_ctx) 2010-06-21 11:10:02 +02:00
Kamen Mazdrashki
3aa8853f58 s4/dsdb: msg_idx->dn should be allocated in msg_idx mem context 2010-06-21 02:57:56 +03:00
Kamen Mazdrashki
cc7e2c10f2 s4/dsdb: Move schema accessors cleanup in separate function
This way dsdb_setup_sorted_accessors() will
free memory allocated for accessor arrays correctly
in case of failure,
2010-06-21 02:57:56 +03:00
Kamen Mazdrashki
267645ca55 s4/dsdb-schema: Index attributes on msDS-IntId value
O(n) search for dsdb_attribute by msDS-IntId value was
replaced by binary-search in ordered index.

I've choosen the approach of separate index on msDS-IntId values
as I think it is more clear what we are searching for.
And it should little bit faster as we can clearly determine
in which index to perform the search based on ATTID value -
ATTIDs based on prefixMap and ATTIDs based on msDS-IntId
are in separate ranges.

Other way to implement this index was to merge msDS-IntId values
in attributeID_id index.
This led me to a shorted but not so obvious implementation.
2010-06-21 02:57:55 +03:00
Matthias Dieter Wallnöfer
fbd0902958 s4:subtree_delete LDB module - now do support tree delete operations 2010-06-20 18:52:30 +02:00
Matthias Dieter Wallnöfer
87d0f63632 s4:dsdb - add a new dsdb delete function which understands the tree delete control 2010-06-20 18:52:29 +02:00
Matthias Dieter Wallnöfer
2fb715b484 s4:samldb LDB module - remove "samldb_set_defaultObjectCategory"
As far as I can tell and the test show the DN gets now normalised automatically
when stored into the database.

Anyway, if we find a case where this doesn't happen then I propose to do it
centrally for all DN attributes in common since we should get away from special
attribute hacks as far as possible.
2010-06-20 18:52:27 +02:00
Jelmer Vernooij
9e02764f7c pydsdb: Mark all SamDB and Schema methods that are in pydsdb as
private, to discourage them being called directly.
2010-06-20 15:22:49 +02:00
Matthieu Patou
f3e7d0ae8f s4: Using control bypassoperational allow the logic of this module to be bypassed for some given attributes
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
2010-06-20 00:43:08 +02:00
Jelmer Vernooij
74309eb29c pydsdb: Move write_prefixes_from_schema_to_ldb to pydsdb from pyglue. 2010-06-19 22:46:43 +02:00
Jelmer Vernooij
a4f60ffe4b pydsdb: Move dsdb_set_schema_from_ldb to pydsdb. 2010-06-19 22:46:43 +02:00
Jelmer Vernooij
05b108a06b pydsdb: Move set_schema_from_ldif function to pydsdb from pyglue. 2010-06-19 22:46:43 +02:00
Matthias Dieter Wallnöfer
131be8da0f s4:instancetype LDB module - "instanceType" is single-valued - MS-ADTS 3.1.1.5.2.2 2010-06-19 19:37:47 +02:00
Matthias Dieter Wallnöfer
d16697df49 s4:objectclass LDB module - disable delete operations when "SYSTEM_FLAG_DISALLOW_DELETE" is specified 2010-06-19 17:53:19 +02:00
Matthias Dieter Wallnöfer
46bcf883bf s4:rootdse LDB module - strip trailing whitespaces 2010-06-19 17:53:18 +02:00
Matthias Dieter Wallnöfer
7f46a91e77 s4:rootdse LDB module - protect add and delete operations on the rootdse entry 2010-06-19 17:53:18 +02:00
Matthias Dieter Wallnöfer
72e14ea8bd s4:rootdse LDB module - Return "UNWILLING_TO_PERFORM" when no attribute fits on a change 2010-06-19 17:53:17 +02:00
Matthias Dieter Wallnöfer
2af67a3602 s4:rootdse LDB module - refactor error messages
Fix indentations, use "set_errstring" when no "asprintf" functionality required.
2010-06-19 17:53:16 +02:00
Matthias Dieter Wallnöfer
a4381239ba s4:objectclass LDB module - use the old DN when displaying error messages 2010-06-19 17:53:16 +02:00
Matthias Dieter Wallnöfer
ee2bb4474f s4:objectclass LDB module - add a better message when the parent DN is invalid 2010-06-19 17:53:15 +02:00
Matthias Dieter Wallnöfer
04890bb750 s4:objectclass LDB module - add an error message when someone tries to add entries without objectclasses 2010-06-19 17:53:15 +02:00
Matthias Dieter Wallnöfer
9da8b06112 s4:objectclass LDB module - handle the case when there is a retry to add the root basedn
This isn't quitted with a normal "NO_SUCH_OBJECT" (parent not found) but with a
very special referral: one with the DN itself and the hostname is the last
component value of the DN.
2010-06-19 17:53:14 +02:00
Jelmer Vernooij
b03637cb9e dsdb: Fix includes when building against system ldb. 2010-06-19 14:46:22 +02:00
Jelmer Vernooij
ccaf0c6038 dsdb: Use Samba includes so _PUBLIC_ is defined. 2010-06-19 13:55:41 +02:00
Jelmer Vernooij
238e89f7b0 dsdb: Make module ops struct for each module public. 2010-06-19 13:46:39 +02:00
Matthias Dieter Wallnöfer
955e1835ef s4:objectclass LDB module - move "mem_ctx" initialisation lower
Saves us some "talloc_free"s on error cases
2010-06-18 10:03:09 +02:00
Jelmer Vernooij
bd8fcd869d s4: Fix build when there is a system-provided ldb. 2010-06-16 18:13:18 +02:00
Matthias Dieter Wallnöfer
233ce18a17 s4:linked attributes LDB module - strip trailing whitespaces 2010-06-16 15:34:41 +02:00
Matthias Dieter Wallnöfer
e190683b59 s4:linked_attributes LDB module - cosmetics
- unsigned counters for LDB objects
- we tend to have the "ret" variable always as the last declaration to see
  which type of error a function returns
2010-06-16 15:34:41 +02:00
Stefan Metzmacher
6dbcffb51d s4:lib: merge LDB_WRAP and LDBSAMBA and make LDBSAMBA a library.
This is needed to remove samba specifc symbols from the bundled
ldb, in order to get the ABI right.

metze

Signed-off-by: Andreas Schneider <asn@samba.org>
2010-06-16 14:07:28 +02:00
Andrew Bartlett
18f3e5113a s4:dsdb Allow renames with (now removed) linked attributes
It is important to allow the rename, even if we just have one-way
links, as this happens on deleted objects, which have the backlinks
alredy removed by repl_meta_data.

Andrew Bartlett
2010-06-16 12:05:31 +10:00
Andrew Bartlett
25abcb6818 s4:dsdb Fix linked_attributes to cope with the Feb 2010 changes to DLIST
The DLIST macros changed in behaviour in Feb 2010, and walking the
lists backwards is no longer safe if you don't use the macros.

Andrew Bartlett
2010-06-16 09:57:52 +10:00
Andrew Bartlett
5150f8597a s4:dsdb Assert that we can't get backlinks as input in linked_attributes
The objectclass_attr module should prevent users creating such links,
and the mrepl_meta_data module should only create them in functional
level 2003 or above.

Andrew Bartlett
2010-06-16 09:57:52 +10:00
Andrew Bartlett
ec6839ac26 s4:dsdb use dsdb_module_modify() rather than ldb_next_request()
This does exactly the same thing, but with less code.

Andrew Bartlett
2010-06-16 09:57:51 +10:00
Andrew Bartlett
ffa787772f s4:dsdb Handle backlinks for Windows 2000 level linked attributes
This revives the code from 5964acfa74,
before tridge and I simplified this too much, and removed the Windows
2000 functional level linked attribute support.

By telling the linked_attributes module that repl_meta_data has
handled the links, we avoid a conflict for the new style (functional
level 2003 and above) linked attributes.  However, we still need
backlinks for 2000 style linked attributes, so this allows that code
in the linked_attributes module to be revived to handle those.

Andrew Bartlett
2010-06-16 09:57:51 +10:00
Andrew Bartlett
ecfce7365c s4:dsdb Add control for signaling between repl_meta_data and linked_attributes
This control will allow the linked_attributes module to know if
repl_meta_data has already handled the creation of forward and back
links.

Andrew Bartlett
2010-06-16 09:57:51 +10:00
Jelmer Vernooij
7fe9e6cd69 dsdb: Fix includes when building against system ldb. 2010-06-15 13:15:50 +02:00
Jelmer Vernooij
6c9336110c dsdb: Build modules as external modules when using system ldb. 2010-06-15 13:15:50 +02:00
Andrew Bartlett
b16e602660 s4:dsdb Move linked attribute restrictions to objectclass_attrs
This puts more of the schema restrictions in one place.

Andrew Bartlett
2010-06-15 10:54:09 +10:00
Andrew Bartlett
8ea4118472 s4:dsdb Add const to dsdb_dn functions that operate on an ldb_val.
Andrew Bartlett
2010-06-15 10:53:50 +10:00
Andrew Bartlett
7c60ac97bf s4:provision Allow a specific prefix map to be loaded into a new schema provision
This allows the prefixMap from a DRS server to be used when loading
the schema from the local files.  This helps us then import other
schema with this map in place.

Andrew Bartlett

Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
2010-06-15 10:51:34 +10:00
Andrew Bartlett
5323485eb3 s4:dsdb Allow the setting an override on the schema
The change here is to try and convert a per the previous rules, but if
we don't know a particular OID as a attributeID, then store it as an
OID (for example).  This allows known values to be converted as
before, but still copes with unknown values.

Andrew Bartlett

Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
2010-06-15 10:51:34 +10:00
Andrew Bartlett
6a2f7fe04c s4:dsdb Use the schema from our local provision to decode the schema
This works on the assumption that the schema partition can only
contain schema objects.

We may need to pass down some kind of 'relax' to the DRS -> LDB
conversion code, so that it allows incomplete conversions, so that we
don't fail if a new attribute is present, and we can't decode it.
This would then be resolved the second time we do the conversion.

Andrew Bartlett

Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
2010-06-15 10:51:34 +10:00
Matthias Dieter Wallnöfer
4b6ce8efc0 s4:fix allocated control OIDs for "password_hash" LDB module
The password hash module controls overlapped others. Sorry, but the
"schema_samba4.ldif" hasn't been kept up-to-date.
2010-06-13 18:35:19 +02:00
Jelmer Vernooij
51058213cb s4-test: Use smb.conf path set in environment rather than using
command-line options.

This is the first step towards supporting custom test runners.
2010-06-13 18:19:03 +02:00
Matthias Dieter Wallnöfer
890d590e51 s4:password_hash LDB module - this does really deactivate the MS LAN manager hash
Previously, only the conversion from cleartext to the LM hash was deactivated,
and not when the user specified it directly through "dBCSPwd".
2010-06-12 16:45:49 +02:00
Matthias Dieter Wallnöfer
3e98262c71 s4:password_hash LDB module - fix comment 2010-06-12 16:45:49 +02:00
Andrew Bartlett
8d8678fcfd s4:dsdb Allow calling dsdb_convert_object_ex() directly
This will allow the libnet_vampire code to manually convert individual
schema objects.

Andrew Bartlett
2010-06-12 11:19:19 +10:00
Andrew Bartlett
088d5b76ca s4:dsdb Simplfy match of objectclass in dsdb_schema_set_el_from_ldb_msg
There is no need to do a full ldb_match_msg() for a simple case
insensitive string.

Andrew Bartlett
2010-06-12 11:18:41 +10:00
Andrew Bartlett
d6f5c1ace2 s4:dsdb Provide a function to convert from DRS prefix maps to the LDB prefixmap
This allows us to push a prefixmap directly into the schema we
generate in the provision code.

Andrew Bartlett
2010-06-12 11:17:22 +10:00
Andrew Bartlett
e82836467c s4:dsdb Add more debugs to help track down failures to parse the prefixmap 2010-06-12 11:17:14 +10:00
Andrew Bartlett
c6bf8e4cad s4:dsdb Put back the reference and set_attributes in dsdb_reference_schema
I'm not sure why I removed these in fe3e1af901

Andrew Bartlett
2010-06-12 11:16:49 +10:00
Matthias Dieter Wallnöfer
b61fa4b676 s4:rootdse LDB module - use LDB result constants 2010-06-11 10:19:19 +02:00
Matthias Dieter Wallnöfer
d604d49939 s4:samldb LDB module - fix up the case when the old and new "primaryGroupID" are the same 2010-06-10 16:22:09 +02:00
Matthias Dieter Wallnöfer
13ca999b3b s4:samldb LDB module - don't create multiple "ac" module contexts on modify operations
Since we do now run sequentially through all checks we don't need multiple "ac"
contexts anymore.
2010-06-10 16:22:08 +02:00
Matthias Dieter Wallnöfer
1305c91598 s4:samba_dsdb LDB module - move the "objectclass_attrs" module back
I think it should be lower in order to control also the "instanceType" module.
2010-06-10 16:22:06 +02:00
Matthias Dieter Wallnöfer
0a41b7e95b s4:instancetype LDB module - prevent all types of "instanceType" manipulation
Also on Windows Server you aren't able to change it.
2010-06-10 16:22:05 +02:00
Matthias Dieter Wallnöfer
1949864417 s4:objectclass_attrs LDB module - move the single-valued attribute check into this module
It seems to me more consistent (and also to keep the same behaviour on all
backends).

Also the DRS hack should therefore not be needed anymore since the
"repl_meta_data" module launches requests behind "objectclass_attrs".
2010-06-07 20:54:10 +02:00
Matthias Dieter Wallnöfer
0dc88d2745 s4:samba_dsdb LDB module - fix typos 2010-06-07 15:02:38 +02:00
Matthias Dieter Wallnöfer
63a8c65861 s4:samba_dsdb LDB module - enhance/fix module rule comments 2010-06-07 15:00:26 +02:00
Matthias Dieter Wallnöfer
e3c686daec s4:objectclass LDB module - rework the code which handles the objectclasses modification
Before it has been very incomplete. We try now to match the Windows Server
behaviour as close as possible.
2010-06-07 14:47:25 +02:00
Matthias Dieter Wallnöfer
ee278bf0c4 s4:acl LDB module - LDB attribute names should be compared using "ldb_attr_cmp" or "strcasecmp" 2010-06-07 14:47:24 +02:00
Matthias Dieter Wallnöfer
566d13c5d1 s4:acl LDB module - adaption for "objectclass_attrs" module
Since the attribute schema checking code moved back we need to give here the
"LDB_ERR_NO_SUCH_ATTRIBUTE" error.
2010-06-07 14:47:24 +02:00
Matthias Dieter Wallnöfer
e7eef53fe5 s4:objectclass LDB module - remove "fix_check_attributes"
Also this task is now performed by the "objectclass_attrs" LDB module.
2010-06-07 14:47:23 +02:00
Matthias Dieter Wallnöfer
227144e050 s4:samldb LDB module - adjust the module to set always a "defaultObjectCategory" on objectclass add operations
This is needed to make the "objectclass_attrs" LDB module happy. The search
check and case adjustment are done as it was using a second modify operation.
2010-06-07 14:47:23 +02:00
Matthias Dieter Wallnöfer
bd910952ba s4:remove the "validate_update" LDB module - the task is now handled by the far more complete "objectclass_attrs" LDB module 2010-06-07 14:47:23 +02:00
Matthias Dieter Wallnöfer
2586cbaadc s4:dsdb - introduce a new "objectclass_attrs" LDB module which performs the objectclass attributes checking
Until now we had no real consistent mechanism which allowed us to check if
attributes belong to the specified objectclasses.
2010-06-07 14:47:22 +02:00
Matthias Dieter Wallnöfer
9e56b54414 s4:objectclass LDB module - instanciate the schema variable centrally on the "ac" context creation
This unifies the position when the schema is read and prevents multiple
instanciations (eg on a modification operation).
2010-06-07 14:47:22 +02:00
Matthias Dieter Wallnöfer
da90868907 s4:samldb LDB module - finally we can remove the RDN check
This is now dynamically always done by the objectclass LDB module
2010-06-07 14:47:22 +02:00
Matthias Dieter Wallnöfer
ec9b6f3c60 s4:objectclass LDB module - finally implement the correct entry rename protections
Only the "systemFlags" check is still missing.
2010-06-07 14:47:21 +02:00
Matthias Dieter Wallnöfer
0ca17eaa15 s4:objectclass LDB module - cosmetic change 2010-06-07 14:47:21 +02:00
Matthias Dieter Wallnöfer
c6020ccb87 s4:objectclass LDB module - remove duplicated code 2010-06-07 14:47:20 +02:00
Matthias Dieter Wallnöfer
95da724325 s4:objectclass LDB module - fix counter variable types 2010-06-07 14:47:20 +02:00
Matthias Dieter Wallnöfer
0408ec11a9 s4:objectclass LDB module - explain why the search can return with an empty return 2010-06-07 14:47:20 +02:00
Matthias Dieter Wallnöfer
6afa5a733c s4:objectclass LDB module - this "talloc_steal" is not necessary
The "parent_dn" was created on the "ac" context which lives anyway longer
than this child request.
2010-06-07 14:47:19 +02:00
Matthias Dieter Wallnöfer
2d3760c04c s4:objectclass LDB module - fix error result if an entry doesn't contain a structural objectclass
We need to return LDB_ERR_UNWILLING_TO_PERFORM (not LDB_ERR_NAMING_VIOLATION).
2010-06-07 14:47:19 +02:00
Matthias Dieter Wallnöfer
2a294d380f s4:objectclass LDB module - use "ldb_oom" for expressing out of memory 2010-06-07 14:47:19 +02:00
Matthias Dieter Wallnöfer
3c4336bf94 s4:objectclass LDB module - fix header and add my copyright 2010-06-07 14:47:19 +02:00
Matthias Dieter Wallnöfer
98b98a29f6 s4:password_hash LDB module - adapt the module to the new "ldb_msg_remove_attr" behaviour 2010-06-06 23:13:15 +02:00
Matthias Dieter Wallnöfer
93db960fae s4:samldb LDB module - this codepart isn't needed due to the objectclass LDB module
When a "computer" entry will be added, also the inherited "user" objectclass is
going to be specified.
2010-06-06 20:48:58 +02:00
Matthias Dieter Wallnöfer
df63b2ca0e s4:get_last_structural_class - only real structural classes can be candidates for fetching the last one
Classes with objectCategory = 1 are always structural, these with
objectCategory = 0 also (as we can see in our Windows 2008 R2 schema file where
class "Person" has 0 but is structural).

Abstract classes and auxiliary ones cannot be considered (objectCategory = 2, 3)

http://msdn.microsoft.com/en-us/library/ms677964(VS.85).aspx
2010-06-06 20:48:42 +02:00
Matthias Dieter Wallnöfer
cadf774f8b s4:dsdb/common/util.c - provide a better implementation of the "samdb_msg_add_(add/del)val" calls
This supports now also coexisting add and delete message elements with the
same attribute name.
2010-06-06 20:47:10 +02:00
Matthias Dieter Wallnöfer
45171d6108 s4:ridalloc LDB module - add more "talloc_free"s where useful
Some were missing on failure return branches.
2010-06-06 20:44:01 +02:00
Matthias Dieter Wallnöfer
787a42ef99 s4:acl LDB module - fix counter types where appropriate 2010-06-06 20:43:38 +02:00
Matthias Dieter Wallnöfer
fc037e029e s4:descriptor LDB module - cosmetic fixup 2010-06-06 20:43:19 +02:00
Anatoliy Atanasov
3bae05d286 s4: check the sacl and dacl pointers on the old sd 2010-06-01 16:52:46 +03:00
Karolin Seeger
3eab655e54 s4-cracknames: Fix typo in debug message.
Karolin
2010-06-01 09:33:53 +02:00
Matthias Dieter Wallnöfer
83788988cb s4:samldb LDB module - start on a sequential trigger implementation
This is a start to allow the triggers to be called sequentially.
2010-05-31 22:43:29 +02:00
Matthias Dieter Wallnöfer
0fce829de4 s4:dsdb_load_udv_v1 - "uint32_t" counter type fits better than "unsigned int" 2010-05-31 22:43:28 +02:00
Jelmer Vernooij
82d56b9374 ldb: Fix dependencies when building with system ldb. 2010-05-31 19:22:03 +02:00
Matthias Dieter Wallnöfer
463d5f0afc s4:samldb LDB module - deny delete operations on some important attributes
Add operations are denied since these are single-valued - only replace is
allowed.

This is only provisorily at the moment - we need to implement the triggers
specified in MS-ADTS.
2010-05-30 23:13:09 +02:00
Matthias Dieter Wallnöfer
08653ac9c2 s4:samldb LDB module - rework the group change code to be again synchronous 2010-05-30 23:13:08 +02:00
Matthias Dieter Wallnöfer
c2a3792e72 s4:dsdb/samdb/ldb_modules/util.c - make sure to always free temporary data 2010-05-30 20:52:11 +02:00
Matthias Dieter Wallnöfer
b7270fbc99 s4:dsdb_module_search_dn - add code to handle NULL format string 2010-05-30 20:52:10 +02:00
Matthias Dieter Wallnöfer
f927881028 s4:dsdb/common/util.c - fix a counter variable 2010-05-30 20:52:10 +02:00
Matthias Dieter Wallnöfer
189950ce06 s4:dsdb_enum_group_mem - use "unsigned" counters
"size_t" counters aren't really needed here (we don't check data lengths).
And we save the result in a certain "num_sids" variable which is of type
"unsigned".
2010-05-24 22:01:36 +02:00
Matthias Dieter Wallnöfer
4d76c0aa80 s4:dsdb_lookup_rids - "unsigned" counters fit better than "signed" in this case 2010-05-24 22:01:20 +02:00
Matthias Dieter Wallnöfer
9696bba1d7 s4:dsdb_add_user - check the "cn"/"account_name" length (should be >= 1)
This needed by the "cn_name_len"-1 accesses.

And use a "size_t"-typed variable for storing it (length specificators should
always be stored using "size_t" variables).
2010-05-24 21:55:11 +02:00
Andrew Bartlett
f6aa090202 s4:samr Push most of samr_LookupRids into a helper function
This is a rewrite of the lookup_rids code, using a query based on the
extended DN for a clearer interface.

By splitting this out, the logic is able to be shared, rather than
copied, into a passdb wrapper.

Andrew Bartlett
2010-05-24 23:08:56 +10:00
Andrew Bartlett
c6ffd884d9 s4:samr Push most of samr_QueryGroupMember into a helper function
This is a rewrite of the group membership lookup code, using the
stored extended DNs to avoid doing the lookup into each member to find
the SID

By splitting this out, the logic is able to be shared, rather than
copied, into a passdb wrapper.

Andrew Bartlett
2010-05-24 23:08:49 +10:00
Andrew Bartlett
20d2847492 s4:samr Move most of samr_CreateDomAlias into a helper function
This allows this logic to be shared, rather than copied, into a passdb
wrapper.

Andrew Bartlett
2010-05-24 23:08:11 +10:00
Andrew Bartlett
fc04e565b0 s4:samr Split most of samr_CreateDomainGroup into a helper function
This allows this logic to be shared, rather than copied, into a passdb
wrapper.

Andrew Bartlett
2010-05-24 23:08:11 +10:00
Andrew Bartlett
43c931b2d4 s4:samr Split the guts of samr_CreateUser2 into a helper function
This allows this logic to be shared, rather than copied, into a passdb
wrapper.

Andrew Bartlett
2010-05-24 23:08:11 +10:00
Andrew Bartlett
e0d141bd46 s4:dsdb Allow a NULL search expression in dsdb_search()
The NULL search expression expands to (objectClass=*), but %s expands
NULL to (NULL) which doesn't parse...

Andrew Bartlett
2010-05-24 23:08:11 +10:00
Andrew Bartlett
c8a23147fe s4:libcli/ldap Rename ldap.h to libcli_ldap.h
It is a problem if a samba header is called ldap.h if we also want
to use OpenLDAP's ldap.h

Andrew Bartlett
2010-05-21 17:39:15 +10:00
Matthias Dieter Wallnöfer
4b56aa2771 s4:operational LDB module - fix warnings (missing parameters, unused variable) 2010-05-20 10:23:45 +02:00
Andrew Bartlett
9c6b637ce8 s4:auth Change auth_generate_session_info to take flags
This allows us to control what groups should be added in what use
cases, and in particular to more carefully control the introduction of
the 'authenticated' group.

In particular, in the 'service_named_pipe' protocol, we do not have
control over the addition of the authenticated users group, so we key
of 'is this user the anonymous SID'.

This also takes more care to allocate the right length ptoken->sids

Andrew Bartlett
2010-05-20 17:39:10 +10:00
Andrew Bartlett
feb9ffdac8 s4:auth Add dependency from the operational module onto auth
We had to split up the auth module into a module loaded by main deamon
and a subsystem we manually init in the operational module.

Andrew Bartlett
2010-05-20 17:39:10 +10:00
Andrew Bartlett
72ccbcacdd s4:auth Allow the operational module to get a user's tokenGroups from auth
This creates a new interface to the auth subsystem, to allow an
auth_context to be created from the ldb, and then tokenGroups to be
calculated in the same way that the auth subsystem would.

Andrew Bartlett
2010-05-20 17:39:10 +10:00
Andrew Bartlett
5f9024c8a4 s4:auth Move BUILTIN group addition into session.c
The group list in the PAC does not include 'enterprise DCs' and
BUILTIN groups, so we should generate it on each server, not in the
list we pass around in the PAC or SamLogon reply.

Andrew Bartlett
2010-05-20 17:39:09 +10:00
Andrew Bartlett
564b4c7443 s4:dsdb disable tokenGroups until end of rewrite
I need to change the functions this calls

Andrew Bartlett
2010-05-20 17:39:09 +10:00
Kamen Mazdrashki
799eb535a9 s4/metadata: fix whitespaces 2010-05-19 02:49:05 +03:00
Jelmer Vernooij
c0fb7b8180 s3: Fix some more iconv convenience usages. 2010-05-18 11:45:31 +02:00
Jelmer Vernooij
390ada6ec7 Remove more usages of iconv_convenience in files which were apparently not recompiled by waf. 2010-05-18 11:45:31 +02:00
Jelmer Vernooij
b8268cf7b0 s3: Remove use of iconv_convenience. 2010-05-18 11:45:31 +02:00
Jelmer Vernooij
f9ca9e46ad Finish removal of iconv_convenience in public API's. 2010-05-18 11:45:30 +02:00
Anatoliy Atanasov
26d41c23f6 s4-rodc: Cache am_rodc flag 2010-05-17 13:30:27 +03:00
Matthias Dieter Wallnöfer
d712356569 s4:repl_meta_data LDB module - fix counter types 2010-05-14 19:04:48 +02:00
Matthias Dieter Wallnöfer
6d95a204d7 s4:dsdb_cache LDB module - fix a typo 2010-05-14 19:02:30 +02:00
Matthias Dieter Wallnöfer
da5cd4ba34 s4:samldb LDB module - remove unused variables 2010-05-14 19:02:10 +02:00
Matthieu Patou
f45cbb0a0d s4: Do not display by default the message Failed to send DsReplicaSync is other host is just unreachable
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2010-05-13 19:13:30 +02:00
Stefan Metzmacher
11730520a7 s4:dsdb: fix samdb_result_logon_hours() and don't hardcode units_per_week
metze
2010-05-13 19:12:42 +02:00
Stefan Metzmacher
7e49fd92ca s4:dsdb: cached results of samdb_rodc()
metze
2010-05-11 18:11:06 +02:00
Anatoliy Atanasov
7200c25646 Revert "s4-rodc: Fix provision warnings by creating ntds objectGUID in provision"
This reverts commit c3cbb846d0.
The fix is not correct, we should cache a bool to answer amIRODC
2010-05-11 12:54:18 +03:00
Stefan Metzmacher
8489934ce3 Revert "s4:password_hash LDB module - don't break the provision"
This reverts commit 6276343ce1.

This is not needed anymore.

metze
2010-05-11 08:38:26 +02:00
Stefan Metzmacher
ad5b9ae8dc Revert "s4:password hash LDB module - check that password hashes are != NULL before copying them"
This reverts commit fa87027592.

This check is done one level above now.

metze
2010-05-11 08:38:02 +02:00
Stefan Metzmacher
8ff38004e8 s4:dsdb/password_hash: only try to handle a hash in the unicodePwd field if it's given
Sorry, I removed this logic while cleaning up indentation levels...

metze
2010-05-11 08:37:03 +02:00
Matthias Dieter Wallnöfer
56421886de s4:password_hash LDB module - we might not have a cleartext password at all
When we don't have the cleartext of the new password then don't check it
using "samdb_check_password".
2010-05-10 23:50:03 +02:00
Matthias Dieter Wallnöfer
4f25baecc1 s4:password_hash LDB module - quiet a warning 2010-05-10 20:04:37 +02:00
Matthias Dieter Wallnöfer
fa87027592 s4:password hash LDB module - check that password hashes are != NULL before copying them 2010-05-10 20:02:21 +02:00
Matthias Dieter Wallnöfer
6276343ce1 s4:password_hash LDB module - don't break the provision
This is to don't break the provision process at the moment. We need to find
a better solution.
2010-05-10 19:51:31 +02:00
Matthias Dieter Wallnöfer
029351571a s4:samdb_set_password - adapt it for the user password change handling
Make use of the new "change old password checked" control.
2010-05-10 19:12:26 +02:00
Matthias Dieter Wallnöfer
6e8098b261 s4:samdb_set_password/samdb_set_password_sid - Rework
Adapt the two functions for the restructured "password_hash" module. This
means that basically all checks are now performed in the mentioned module.

An exception consists in the SAMR password change calls since they need very
precise NTSTATUS return codes on wrong constraints ("samr_password.c") file
2010-05-10 19:07:46 +02:00
Stefan Metzmacher
fc8e3ffb5f s4:password_hash - Implement password restrictions
Based on the Patch from Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>.

metze
2010-05-10 18:06:54 +02:00
Matthias Dieter Wallnöfer
6a69ec2f5a s4:password_hash - Rework to handle password changes
- Implement the password restrictions as specified in "samdb_set_password"
  (complexity, minimum password length, minimum password age...).
- We support only (administrative) password reset operations at the moment
- Support password (administrative) reset and change operations (consider
  MS-ADTS 3.1.1.3.1.5)
2010-05-10 18:06:24 +02:00
Matthias Dieter Wallnöfer
12c4b09fd5 s4:password_hash - Rework unique value checks
Windows Server performs the constraint checks in a different way than we do.
All testing has been done using "passwords.py".
2010-05-10 17:54:16 +02:00
Matthias Dieter Wallnöfer
3ce4a0c5f2 s4:password_hash - Various (mostly cosmetic) prework
- Enhance comments
- Get some more attributes from the domain and user object (needed later)
- Check for right objectclass on change/set operations (instances of
  "user" and/or "inetOrgPerson") - otherwise forward the request
- (Cosmetic) cleanup in asynchronous results regarding return values
2010-05-10 17:54:15 +02:00
Matthias Dieter Wallnöfer
726fb35f9f s4:dsdb: add new controls
- Add a new control for getting status informations (domain informations,
  password change status) directly from the module
- Add a new control for allowing direct hash changes
- Introduce an addtional control "change_old password checked" for the password
2010-05-10 17:54:15 +02:00
Anatoliy Atanasov
c3cbb846d0 s4-rodc: Fix provision warnings by creating ntds objectGUID in provision 2010-05-10 17:24:02 +03:00
Matthias Dieter Wallnöfer
e2806f9e4d s4:acl ldb module - fix typos 2010-05-10 12:39:44 +02:00
Matthias Dieter Wallnöfer
946993238f s4:dsdb/util.c - Add a new function for retrieving password change attributes
This is needed since we have not only reset operations on password fields
(attributes marked with REPLACE flag) but also change operations which can be
performed by users itself. They have one attribute with the old value marked
with the REMOVE flag and one with the new one marked with the ADD flag.
This function helps to retrieve them (argument "new" is used for the new
password on both reset and change).
2010-05-10 12:20:27 +02:00
Matthias Dieter Wallnöfer
1cdc46a90a s4:samldb LDB module - make "samldb_member_check" synchronous again 2010-05-09 20:26:31 +02:00