IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This attribute can not be modified on existing schema object.
msDS-IntId is not allowed during attribute creation also.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
According to http://msdn.microsoft.com/en-us/library/cc223224%28PROT.13%29.aspx
some Attributes OIDs may not use prefixMap.
Setting ATTID in Schema Cache here should work, although
this code snippet should be moved in separate function.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
The bug is that prefixMap is updated only memory when
adding new Classs/Attribute that has and OID not in
prefixMap already.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
To allow us to use the repl_meta_data module in standalone mode (and
thus not have two module stacks to test), we need a invocationID
stored somewhere when standalone. This creates a random one, and
stores it in @SAMBA_DSDB.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This is used to udpate just the DN components of a ldb_dn, leaving the
other extended fields alone. It is needed to prevent linked attribute
updates from removing other extended components.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This can be used to enable the recyclebin on a windows box. Once we
properly implement this feature in samba we will use this to enable
the feature on ourselves as well.
This canonicalise avoids a problem with an add that has multiple
elements with the same el->name. That is allowed by MS servers, and by
ldb, but it breaks things like the tdb backend and the repl_meta_data
RPMD handling.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This is done by sorting the classes by subClass_order, which will
check if the last structural class is valid to add (in
objectclass_do_add instead checking the last class in the list).
They were being sorted by building a class tree, and adding the
classes to the list in that order. However, AUX classes usually don't
fit into that tree, so LDB_ERR_OBJECT_CLASS_VIOLATION was returned. I
have changed the behavior to sort the classes by subClass_order
instead.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Makes sure samAccountName has been specified before adding a
user. This happened while I was trying to add a user with the
posixAccount objectclass. I forgot to specify the user objectClass,
and samba segfaulted. It now returns LDB_ERR_CONSTRAINT_VIOLATION.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
It can now also be used by objectclass.c
get_last_structural_class now ignores AUX classes, because they are
not structural
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Check to see if there were any messages passed to acl_modify before
debugging the first one. I think I caused this by some malformed
LDIF.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
The problem here is that as we start to get 'real users' they still
decide to do silly things, like load empty but existing smb.conf
files. Let's give them a better chance to discover what they did
wrong.
Andrew Bartlett
They won't work when the LDB change is done using "samdb_replace"
(consider "samr_password.c" functions).
I think this has been a relict which has been useful before the "password_hash"
module existed. Basically it itself does now the updates.
If an ace has the PRINCIPAL_SELF as trustee, this sid has to be replaced with
the onjectSid of the object being checked. PRINCIPAL_SELF is the way to grant rights
to an account over itself.
pvfs can be NULL if the directory a share points to does not exist. In
this case, there would be no open files, so it is safe to just return
from the function.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
removing a control means it can't be seen by any other modules, which
is usually not what is wanted. Better to just mark it non-critical,
which means anyone else who wants to look at it can, but if nobody
does its not an error.
For controls that need to be seen by more than one module, it is best
to just mark them non-critical when handled, instead of removing
them. Otherwise lower modules can't see them.
In this case we want the operational module to see the SD_FLAGS
control
It isn't very useful just saying that a control is not supported,
without saying which one is the problem
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This is based on the code from Eduardo Lima <eduardoll@gmail.com>, but
uses the new helper functions added in the last couple of commits
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This is based on the function of the same name from Eduardo Lima
<eduardoll@gmail.com>, but using ldb_dn_compare, to give us
comparisons consistent with what the rest of the code uses.
We will use this function in combination with dsdb_wellknown_dn() to
find the Deleted Objects container for any object.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
bug 6989 is a rare crash that has occurred in production. My best
guess as to the cause is the talloc_free() not being specific enough
as to which parent needs to be freed.
Renaming not only helps when name attribute is not here
it also helps when the case is not the good one. So
in order to avoid problem and have as much as possible similar provision
we should use the rename whenever a name difference appear.
This control will allow inspection of internal ldb values, which would
normally be stripped before being presented to users. The first use
will be stripping linked attribute meta data extended components.
- We should clean up such "helper" objects created in this function to don't
have them around until "mem_ctx" is destroyed
- Remove a from my view pointless comment "This is a password set, not change"
since an external argument "user_change" decides this ("modify" or "(re)set")
The first bug was that setting a component twice could cause it to
appear twice in the DN.
The second bug was that using an existing ldb_val from a previous call
of ldb_dn_get_extended_component() as an argument to
ldb_dn_set_extended_component() would cause a valgrind error (as the
array the val pointed into will change).
This allows us to search below the current module. That
will be important when we start using the results of this
search to get the linked attributes meta data right
The bug is that sometimes 'streams' is parent for 'new_name'.
With this said, 'new_name' must be dupped before 'streams'
pointer is freed.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
It appears some newer versions of windows return
NT_STATUS_OBJECT_NAME_NOT_FOUND on a createfile when access is denied
rather than NT_STATUS_ACCESS_DENIED. I'm not sure how this translates
to directory enumeration yet, but for now make this a parameter that
can be checked in the various torture tests.
This also gets RAW-ACLS and SMB2-CREATE passing against win7.
- The smblsa calls had to be commented out for now and should be fixed
later, but they aren't crucial to the test.
- The first two tests from RAW-ACLS were already ported to
torture_smb2_setinfo() and test_create_acl(). Modifications were
made similar to the RAW-ACLS changes.
- test_sd_get_set() was ported, but does not pass against XP or Vista;
it is not added to the SMB2-ACLS test suite.
- printf -> torture_comment / torture_warning / torture_result
- Change RAW-ACLS test suite so each test can be run individually.
- Add verify_sd() and verify_attrib() helper functions.
- Change test_nttrans_create() to work for both files and directories.
- Fix a segfault in test_inheritance() when the test errors out early.
- test_sd_get_set() does not pass against XP or Vista, so it is no longer added
to the RAW-ACLS test suite.
- Minor fixes to test_inheritance().
- New INHERITFLAGS test, which tests the auto inheritance flags a bit more.
- printf -> torture_comment / torture_warning / torture_result
(as objectClass will always be a case insensitive ascii string, we can
make a much simpler match function here than for the general case).
Andrew Bartlett
This tries to show that the domain object should not have a
primaryGroupToken, for example. (This passes against the old and new
code, as the failure case requires an object with an objectSid, and
exactly one group in it's subtree. Sadly I don't know of a valid structure
that I can construct to test this).
Andrew Bartlett
The original code here would do a subtree search under each object,
attempting to determine if it was a group. This was incorrect, and
inefficient - we just need to ask for the objectClass attribute, and
check that value before returning the group's RID.
(Much of this patch reworks operational.c to allow a search for 2
attributes for this calculation).
Andrew Bartlett
This avoids doing a new search from the top of the module stack.
This also removes the helper function dsdb_find_parentguid_by_dn()
which is now unused.
Andrew Bartlett
The show_deleted module was using a static private ptr in the module
to hold a parse tree to save on parsing. The code caused this
static ptr to change with each search, which caused incorrect
searches and numerous valgrind errors.
This patch replaces it with a hand-built parse tree.
In general functions that don't return any memory should not take a memory context.
Otherwise it is too easy to have a bug like this where memory is leaked
Two new samba4 bugs have been filed for the two corresponding known
failures. For the short term raw.sfileinfo had to be removed from
quicktest. It is no longer an individual test, but a test-suite and
quicktest can only run top level tests.
Try a rename with a wide-open share mode on an already open file
and the there is still share mode contention. For the reason why
see:
http://social.msdn.microsoft.com/Forums/en-US/os_fileservices/thread/3ca14dc9-da1f-4786-a8f7-a86e9903db0c
Msft's anser:
After further review, The reason for server to fail with sharing
violation is that the windows server that executes a path-based
rename request opens the file for DELETE access, but only with
FILE_SHARED_READ as ShareAccess . Therefore, the existing
open(frame 76), which has shared read/write/delete , is compatible
with the Windows servers access mode (DELETE), but Windows servers
open is not compatible with access mode in existing open.
Note that it is correct to state that the logic in Windows server
could have been written to allow shared read/write/delete in which
case it would succeed as you mention. The behavior here is
historical based on the existing implementation.
Some servers choose to mark a client as bad if they fail an oplock
break request by timing out (win7 is an example). Once the client is
marked as bad, future oplock requests will timeout instantly. This
causes subsequent runs of this test to fail, so rather than erroring
out as a failure, a warning is printed instead.
There is also a bug in w2k3 where it was incorrectly returning
contending a share mode lock. It worked in XP and has been re-fixed
in win7.
This can also now be run against samba3.
See what happens when we have multiple outstanding lock requests and
we try to cancel both of them within a single LockingAndX.
On Windows, it seems only the first lock in the array is cancelled,
and the second is left pending. Though, this behavior goes against
the MS-CIFS spec.
* test that 2 locks in a single LockAndX are transactional
* test that 1 unlock and 1 lock in a single LockAndX are not
transactional
* test that SMB2 doesn't like mixed lock/unlock in a single
PDU
Abstract the server requirements to pass some BRL tests.
* The new default for >64bit lock tests, is that the server should
return STATUS_INVALID_LOCK_RANGE.
* Add parameter for targets that don't implement DENY_DOS
When windows abandons a DRS sync, it will sometimes re-use the same bind handle for
a new sync. This means we need to check the DN of the sync and blank the getnc_state
if the DN has changed.
This also fixes the UDV to use the highest uSN for the partition, not for
the whole SAM.
In light of the INVALID_LEVEL that is seen for RAW_SFILEINFO_END_OF_FILE_INFO
requests on a path, I'm changing these back to using the passthrough
RAW_SFILEINFO_END_OF_FILE_INFORMATION to test the oplock break behavior as
originally intended
It turns out setting the end-of-file with Trans2SetPathInfo using the
snia spec's info level will attempt to open the file, enforcing share
modes, but then subsequentlys fail the setpathinfo with a dos error of
INVALID_LEVEL. Doing a Trans2SetFileInfo with either end-of-file info
level succeeds as expected.
Revert "Remove RFC's from the release tarballs to make the lives of the Debian"
This reverts commit eda7f35bc8.
These files are essential to the Samba4 build.
Andrew Bartlett
Includes the following verifications for the constructed parentGUID:
- Checks if it returns nothing when there is no parent object
- Ensures that attributes mentioned after the parentGUID
are returned correctly (this avoid a bug pointed out by Tridge
during sync constructed parentGUID development)
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Uses the dsdb_msg_add_guid() to add any kind of GUID attribute
to a ldb_message in several places of samba4 code.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
the nTDSConnection objects that are not needed anymore will be deleted.
the function kccsrv_delete_connection wasn't tested yet.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This reverts commit 7d400715e9.
"convert_string_talloc_convenience" does always add the NULL termination. Didn't
know that. Thanks Jelmer for pointing out!
- Revert change in "ask" - was previously correct
- Readd accidentally removed checks for non-null realm and domainname
- On interactive mode perform only one "ask" call per question
- Inform the user about the unset administrator password
