IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Which allows the caller to pass a given 'pwdLastSet' value
(every useful for migrations).
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Oct 7 15:28:13 CEST 2011 on sn-devel-104
we show wellknown links to the deleted objects container
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Fri Oct 7 07:58:08 CEST 2011 on sn-devel-104
unless the user asks for the display of deactivated links, we should
not display DNs that link to deleted objects
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
to correctly implement the show_deleted and show_recycled control we
need to know if the recyclebin is enabled. When not enabled, the
isRecycled attribute is ignored, and only isDeleted is used.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
the dsdb_check_optional_feature() call should look on our own NTDS DN
for the enabled feature. This should work for all features, not just
for forest wide fetaures.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this sets DSDB_REPL_FLAG_PARTIAL_REPLICA when replicating a RODC
partition, which tells the replication code to map instanceType to
remove the INSTANCE_TYPE_WRITE bit
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
if we repeat the join of a subdomain then we try to re-create the NC
for the subdomain during a DsAddEntry(). This allows that re-creation
to succeed if the NC already exists
when we are adding an object via DRS, we need to add the
DSDB_CONTROL_PARTIAL_REPLICA control if we are replicating a partial
replica, so ensure the partition module creates new NCs as partial
replicas
when doing DRS between domains, using the right SPN is essential so
the KDC can generate referrals to point us at the right DC. We prefer
the GC/hostname/DNSDOMAIN form if possible, but if we can't find the
hostname then this changes the code that generates the target
principal name to use either the msDS-HasDomainNCs or hasMasterNCs
attributes to try to find the target DC domainname so we can use the
E3514235-4B06-11D1-AB04-00C04FC2DCD2/GUID/DNSDOMAIN SPN form.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this control tells the partition module that the DN being created is a
partial replica, so it should modify the @PARTITION object to add the
partialReplica attribute
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
when we receive objects to a partial replica, we need to change the
incoming instanceType to not include the INSTANCE_TYPE_WRITE
flag. Partial replicas unset this flag.
With this set, we accept changes even if they have the same tuple as
the local copy. This can be used by a FULL_SYNC replication to recover
a replica that is corrupt
if instanceType does not include INSTANCE_TYPE_WRITE, then disallow
changes to any replicated attributes. This ensures partial replicates
are not alterered
this allows the replication server to control replication via a set of
flags. Initial flags will allow control for partial replications and
full_sync support
this modifies the partition module to honor a partialReplica attribute
on the @PARTITION module, marking partiations as partial replicas so
the NO_GLOBAL_CATALOG control can be honoured
this control is used to ask samdb to not return searches with a basedn
in partial repica partitions, which is needed to support the
difference between a search on the 3268 GC ldap port and the non-GC
389 port
we need to use the hasMasterNCs and hasPartialReplicaNCs attributes on
our NTDS object to get the list of NCs to replicate, instead of using
the rootDSE. This is needed to support replicating of GC partial
replicas, which are not listed in the rootDSE
if the @ATTRIBUTES or other objects which are replicated between
partions become out of sync, then the ldb would fail to open. This
changes ensures that we can always fix those records, by running the
operation in the top level partition, and replicating the result to
the other partitions
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Mon Sep 19 04:31:48 CEST 2011 on sn-devel-104
we can't just append CN=Configuration to the basedn, as that won't
give the right configuration DN for a subdomain of a forest
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
when we do a subdomain join we create a new object using a REPL_OBJ
getncchanges call for the partitions DN. This has a side effect of
creating that object. We need to skip the UDV update in that case
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This matches the search in other places
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Thu Sep 8 05:02:54 CEST 2011 on sn-devel-104
this uses the bitwise comparison ldap operators to ensure we only get
NC roots
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Sep 5 12:48:39 CEST 2011 on sn-devel-104
I'm pretty sure a SHOW_DELETED was wanted here
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Thu Aug 25 01:10:13 CEST 2011 on sn-devel-104
this converts a DC into the equivalent DNS domain. It is used when
forming t_msdcs NTDS DNS names
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
windows does not allow a search on the empty DN except for rootDSE
searches or for phantom_root searches (ie. with --cross-ncs). By
enforcing this in Samba we make it more likely that our tests and
utilities will work against windows
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
NULL should be used when doing all partition searches. The default
basedn should be used when wanting just the domain NC
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
when searching all partitions we must use the NULL basedn, or we will
miss partitions in multi-domain setups
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
when in FL 2000 we were not correctly deleting backlinks as we uses
dsdb_find_dn_by_guid() which doesn't find deleted objects. Modules
should use dsdb_module_dn_by_guid() which prevents going to the top
level, and finds deleted objects
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
added comments explaining the backlink deletion code, plus fix a use
of a bitwise operation in a boolean expression, and avoid calling
dsdb_functional_level() inside a loop
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this DN can change due to a server rename, so we cannot cache it. It
is set by provision, but not anywhere else.
This seems to not have a large performance impact
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this allows dsServiceName to be stored as an extended DN or GUID form
in @ROOTDSE, and its string form will be found at runtime.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
these are not needed now that the rootdse modules calculates the
validFSMOs attribute at runtime
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this changes the rootdse to compute the validFSMOs attribute at
runtime by checking the fSMORoleOwner attribute on the appropriate
DN. This avoids the need for the pdc_fsmo and naming_fsmo modules.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
s4:subtree_rename LDB module - fix the move/rename constraints
By the inspiration of an email request by ekacnet I have rechecked the
move/rename constraints and re-read the chapter 3.1.1.5.4.1 located in the
MS-ADTS technical documentation.
It really turns out that the constraint checking is only performed on
the root object of a request.
In addition add my copyright notice (I've written these constraint checks).
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Wed Aug 10 01:05:19 CEST 2011 on sn-devel-104
This happens if we have a custom schema - we need to build up the schema until
it loads, by converting more objects.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Aug 9 13:10:25 CEST 2011 on sn-devel-104
this can be used to force re-indexing of samdb when we change
something that affects index comparison, in this case the
canonicalisation of booleans
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this auto-normalises some attributes when they are added/modified. The
list that we auto-normalise is currently:
Boolean
INT32
INTEGER
UTC_TIME
This fixes a problem with groupType being stored in an unnormalised
form
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this replaces DN components in incoming filter expressions with the
full extended DN of the target, which allows search expressions based
on <GUID=> and <SID=> DNs, as well as fixing the problem with one-way
links in search expressions
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this allows for searches like member=<SID=S-1-2-3>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
this is faster than string comparisons during searches at runtime
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
when we return a DN which is a one way link, fix the string DN
component by searching for the GUID and replacing the DN components
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this allows us to quickly determine if a DN is a one way link
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
this allows us to use dsdb_module_dn_by_guid() from levels below the
extended_dn_out module
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
This is slightly less efficient, because we no longer keep a cache on
the gensec structures, but much clearer in terms of memory ownership.
Both gensec_session_info() and gensec_session_key() now take a mem_ctx
and put the result only on that context.
Some duplication of memory in the callers (who were rightly uncertain
about who was the rightful owner of the returned memory) has been
removed to compensate for the internal copy.
Andrew Bartlett
If the parent request specify the show_deleted control we must use it in
order to be able to see the deleted objects.
Also we just allow to trusted connections with the system account to
remove deleted objects, others receive an unwilling to perform.
kcc_service struct gets a intrasite_code
boolean that is filled in via parametric parameter
kccsrv:intrasite = [true/false] in smb.conf. This
will allow us to continue to utilize old simple
KCC topology as continuing default while newer
intra-site topology matures further.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Thu Jul 14 00:19:12 CEST 2011 on sn-devel-104
We need the ability to utilize this function in a different
manner. KCC intra-site topology has already vetted the
replica as being appropriate to produce a repsFrom from.
We do not want kccsrv_add_repsFrom() to produce further
checking as was the case for simple topology. Thus if
we pass a NULL (res) parameter this extra check will
be skipped.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
kccsrv_replica_flags() and
kccsrv_add_repsFrom() need to be available to functions
outside kcc_periodic.c
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Utilized by KCC to carry the invocation id of the NTDSDSA
that we are replicating the name context from. Utilized
when NTDSConnection is created (much like dsa_guid tracks
the NTDSDSA objectGUID that we are replicating the name
context from).
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Previously this set an explicit (0x1) value whereas it
can now utilize NTDSCONN_OPT_IS_GENERATED from flags.h
Signed-off-by: Andrew Tridgell <tridge@samba.org>
A helper function for retrieving the ntds site settings
via standalone function call. Used within KCC
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Flags that were missing from flags.h or were incorrectly
defined inline to the kcc_topology.c code (and thus unusable
elsewhere). These are the NTDSConnection and NTDSDSA Site
settings flags.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
this fixes the DN to have a full GUID for new objects
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Jul 13 14:03:30 CEST 2011 on sn-devel-104
the samldb checks failed to account for the possibility of a member
being removed and added in the same modify operation. This happens
(for example) when dbcheck is fixing a SID in a DN.
The repl_meta_data.c code already has this check, it just wasn't
giving the right specialised error code for the 'member' attribute
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
this allows conversion from a DRS attribute ID to a LDAP display name
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
The usual use case is that you have a not complete linked attribute (ie.
without the SID) if we keep using the old dn, then the SID will never be
added.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This is needed because we can have more than 1 value in a single valued
attribute as we store also deleted values. So we do the check in repl_meta_data
and then indicate LDB to do the check.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
the objectclass_attrs validation that an object contains all mandatory
attributes is incorrect for deleted objects, as they get stripped of
some mandatory attributes when deleted (for example, objectCategory
gets stripped)
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
when extended_dn_in fails to resolve a GUID extended DN component, the
debug code assumed that it was a search operation, and accessed
ac->req->op.search.base, which is not valid for non-search DN
expansions.
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
this allows attributes not known in the schema to be removed if the
caller has set the RELAX control. This will be used by dbcheck to
allow cleaning of bad attributes from the database
We need to ensure that if this parses name.name_string as just one
val, then we don't read uninitialised and possibly unallocated memory.
Found by Adam Thorn <alt36@cam.ac.uk>
While we are checking that, we need to fix the strncasecmp() check to
first check if the string is the expected length, then check for a
match against sAMAccountName-without-doller, as otherwise we will
permit a string such as machinefoo to match a sAMAccountName of
machine.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Jul 1 03:55:00 CEST 2011 on sn-devel-104
this allows dbcheck to fix bad attributes
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Jun 22 12:27:06 CEST 2011 on sn-devel-104
if we search with a base DN that has both a GUID and a SID, then use
the GUID first. This matters for the S-1-5-17 SID.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
When searching using extended DNs, if there are multiple matches then
return an object not found error. This is needed for the case of a
duplicate objectSid, which happens for S-1-5-17
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
When converting from DRS to ldb format for a BINARY_DN, don't add the
GUID extended DN element if the GUID is all zeros.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
The two error tables need to be combined, but for now seperate the names.
(As the common parts of the tree now use the _common function,
errmap_unix.c must be included in the s3 autoconf build).
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Jun 20 08:12:03 CEST 2011 on sn-devel-104
Due to library link orders, this is already the function that is being
used. However we still need to sort out the duplicate symbol issues,
probably by renaming things.
Andrew Bartlett
this call converts a set of attributes to DRSUAPI format and back to
ldb format. This has the effect of normalising the attributes using
the schema syntax rules
- Add more "mem_ctx" free functions on error cases
- Steal the "out" string directly onto the LDB context to be able to free
the local "mem_ctx"
Reviewed-by: Tridge
Older AD deployments simply don't have it and hence there is no RODC
support.
Reviewed-by: abartlet
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Wed May 25 10:26:37 CEST 2011 on sn-devel-104
Ekacnet was not quite right yet but his patch made me think further.
This primary group changing is only needed if the account type changes.
With this patch we do one more search if the "userAccountControl"
changes but we save us from doing these unneeded and wrong modify replace
operations most of the time.
Reviewed-by: abartlet
Notice: The domain administrators groups isn't referenced as "Domain Admins"
since this name could differ.
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat May 21 19:19:57 CEST 2011 on sn-devel-104
With this function your own search tree can be specified
This function is similar to ldb_build_search_req_ex as it allows to
pass a parse tree structure.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This function is problematic because a string may expand in size when
changed into upper or lower case. This will then push characters off
the end of the string in the s3 implementation, or panic in the former
s4 implementation.
Andrew Bartlett
This call should only be performed at the beginning of a request.
"ldb_msg_sanity_check" checks for DN validity (which should already have been
done at the beginning of the request) and empty attributes (which should
be done by the "objectclass_attrs" LDB module).
Hence it is superflous here.
Reviewed-by: abartlet
