1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

462 Commits

Author SHA1 Message Date
Stefan Metzmacher
f19637f957 r21859: add a comment why we remove the rid_crypt obfuscation
metze
(This used to be commit e44b6df138)
2007-10-10 14:49:37 -05:00
Stefan Metzmacher
d755269141 r21842: fix typo in comment
metze
(This used to be commit 8fcd5209ae)
2007-10-10 14:49:36 -05:00
Stefan Metzmacher
41c5453507 r21839: add my email address
metze
(This used to be commit e3be33c1d9)
2007-10-10 14:49:35 -05:00
Stefan Metzmacher
97d2f1cc40 r21838: generate no metadata for constructed attributes
metze
(This used to be commit 7e0620e524)
2007-10-10 14:49:35 -05:00
Andrew Bartlett
9b03286b32 r21806: I've been working over the last week to fix up the LDAP backend for
Samba4.  This only broke on global catalog queries, which turned out to
be due to changes in the partitions module that metze needed for his
DRSUAPI work.

I've reworked partitions.c to always include the 'problematic' control,
and therefore demonstrated that this is the issue.  This ensures
consistency, and should help with finding issues like this in future.

As this control (DSDB_CONTROL_CURRENT_PARTITION_OID) is not intended to
be linearised, I've added logic to allow it to be skipped when creating
network packets.

I've likewise make our LDAP server skip unknown controls, when marked
'not critical' on it's input, rather than just dropping the entire
request.  I need some help to generate a correct error packet when it is
marked critical.

Further work could perhaps be to have the ldap_encode routine return a
textual description of what failed to encode, as that would have saved
me a lot of time...

Andrew Bartlett
(This used to be commit eef710668f)
2007-10-10 14:49:29 -05:00
Stefan Metzmacher
3e697d5110 r21773: fix typo orginating -> originating
and use the struct member names in all cases

metze
(This used to be commit c543ee5745)
2007-10-10 14:49:24 -05:00
Stefan Metzmacher
4e7520f643 r21772: add DS_BEHAVIOR_WIN2003_INTERIM constant
metze
(This used to be commit 59fffa7ba1)
2007-10-10 14:49:24 -05:00
Stefan Metzmacher
6cb8ac851c r21503: add usefull function to get the site dn for the local server
metze
(This used to be commit 08b8e9acff)
2007-10-10 14:48:46 -05:00
Andrew Bartlett
e4ca378b63 r21497: Pass more of the RPC-CRACKNAMES test by using the new search_options control.
Andrew Bartlett
(This used to be commit 47c8a059c4)
2007-10-10 14:48:45 -05:00
Andrew Bartlett
7dc7156bd7 r21496: A number of ldb control and LDAP changes, surrounding the
'phantom_root' flag in the search_options control

- Add in support for LDB controls to the js layer
- Test the behaviour
- Implement support for the 'phantom_root' flag in the partitions module
- Make the LDAP server set the 'phantom_root' flag in the search_options control
  - This replaces the global_catalog flag passed down as an opaque pointer
- Rework the string-format control parsing function into
  ldb_parse_control_strings(), returning errors by ldb_errorstring()
  method, rather than with printf to stderr
- Rework some of the ldb_control handling logic

Andrew Bartlett
(This used to be commit 2b3df7f38d)
2007-10-10 14:48:44 -05:00
Stefan Metzmacher
b3ef5c0b92 r21470: generate Primary:WDigest blob with precalculated digest-md5 hashes:
see http://technet2.microsoft.com/WindowsServer/en/library/717b450c-f4a0-4cc9-86f4-cc0633aae5f91033.mspx?mfr=true
for how the hashes are supposed to be (but w2k3 doesn't to some correctly...)

this is a verify nice tool to test the hash genaration, but
you need to add support for "" realm strings...
http://fresh.t-systems-sfr.com/unix/src/www/httpauth-0.6.tar.gz:a/httpauth-0.6/tools/mkha1.c

metze
(This used to be commit 26d51741b6)
2007-10-10 14:48:40 -05:00
Stefan Metzmacher
e0b1a83dd6 r21465: the LDAP-UPTODATEVECTOR test shows that the replUpToDateVector
doesn't contain an entry for the local invocation_id

metze
(This used to be commit 4bd0ddeb80)
2007-10-10 14:48:39 -05:00
Stefan Metzmacher
ad7e7249b6 r21441: create a union for the PrimaryKerberosBlob content
so that ndr_pull will fail if version isn't 3 and we notice
if the format changes...

metze
(This used to be commit 91f7a094cf)
2007-10-10 14:48:35 -05:00
Stefan Metzmacher
6e2d85e38b r21434: - get rid of "krb5Key"
- use "sambaPassword" only as virtual attribute for passing
  the cleartext password (in unix charset) into the ldb layer
- store des-cbc-crc, des-cbc-md5 keys in the Primary:Kerberos
  blob to match w2k and w2k3
- aes key support is disabled by default, as we don't know
  exacly how longhorn stores them. use password_hash:create_aes_key=yes
  to force creation of them.
- store the cleartext password in the Primary:CLEARTEXT blob
  if configured

TODO:
 - find out how longhorn stores aes keys
 - find out how the Primary:WDigest blob needs to be constructed
   (not supported by w2k)

metze
(This used to be commit e20b53f6fe)
2007-10-10 14:48:34 -05:00
Stefan Metzmacher
8a9a68b707 r21395: fix comments
metze
(This used to be commit 97fc985bd0)
2007-10-10 14:48:25 -05:00
Stefan Metzmacher
9a9b197856 r21364: cosmetic change: it's nicer to use the KEYTYPE_ macro
for the keytype field...

metze
(This used to be commit e96aa89800)
2007-10-10 14:48:20 -05:00
Stefan Metzmacher
3b14713f6d r21362: rename:
"ntPwdHash" => "unicodePwd"
"lmPwdHash" => "dBCSPwd"
"sambaLMPwdHistory" => "lmPwdHistory"
"sambaNTPwdHistory" => "ntPwdHistory"

Note: you need to reprovision after this change!

metze
(This used to be commit dc4242c09c)
2007-10-10 14:48:20 -05:00
Stefan Metzmacher
e4d2c67467 r21359: remove the rid encryption before storing the password hashes
We decided to store them plain in our ldb

metze
(This used to be commit ff13b21102)
2007-10-10 14:48:19 -05:00
Stefan Metzmacher
4878c4c782 r21355: work in child domains, CN=Configuration isn't always under the domain dn
metze
(This used to be commit cdfd4ee8e5)
2007-10-10 14:48:18 -05:00
Stefan Metzmacher
43a0c615a3 r21315: ldb now supports filters like (&(dn=%s)(&(objectClass=kerberosSecret)(privateKeytab=*))) again
we can use such a filter:-)

we should only update the keytab for records matching this filter,
that means we need to do a search before calling cli_credentials_set_secrets()

metze
(This used to be commit 23adca4e34)
2007-10-10 14:48:09 -05:00
Stefan Metzmacher
e869883d80 r21306: fix the RPC-LSA tests the admin couldn't no longer get the 'currentValue'
attribute...

this needs more works, but make it work again for now

metze
(This used to be commit 608d24f001)
2007-10-10 14:48:07 -05:00
Stefan Metzmacher
42598ada22 r21296: remove the session specific encryption from the attributes
before storing them.

metze
(This used to be commit 7146e265a4)
2007-10-10 14:48:04 -05:00
Stefan Metzmacher
9bdb49455a r21282: we only need one for loop...
metze
(This used to be commit 181b3a031f)
2007-10-10 14:44:59 -05:00
Stefan Metzmacher
e38fad186f r21281: move constinancy checks to the beginning of the function
metze
(This used to be commit f2af44d204)
2007-10-10 14:44:58 -05:00
Andrew Bartlett
4aa1f83ca5 r21179: Anything more complex than this causes the keytab never to be updated...
Andrew Bartlett
(This used to be commit c3977b4bae)
2007-10-10 14:44:43 -05:00
Andrew Bartlett
744dddd75b r21135: Instead of having hooks to update keytabs as an explicit thing, update
them as a hook on ldb modify, via a module.

This should allow the secrets.ldb to be edited by the admin, and to
have things update in the on-disk keytab just as an in-memory keytab
would.

This isn't really a dsdb plugin, but I don't have any other good ideas
about where to put it.

Andrew Bartlett
(This used to be commit 6ce557a1af)
2007-10-10 14:44:31 -05:00
Stefan Metzmacher
ea57190d25 r20978: 300 seconds as interval is ok, when we do nothing
metze
(This used to be commit 4d6629c683)
2007-10-10 14:44:16 -05:00
Stefan Metzmacher
9142a00cb7 r20977: start the 'drepl' service, which currently does nothing by default,
but make it less verbose

metze
(This used to be commit f7e82a0c94)
2007-10-10 14:44:16 -05:00
Stefan Metzmacher
c601a9ddcd r20975: - implement handling of meta data an on originating add
there're a few things TODO, but it's a good start

we need to research if an originating change causes the replUpToDateVector
attribute to change...(I assume it, but needs testing)

metze
(This used to be commit fde0aabd9a)
2007-10-10 14:44:06 -05:00
Stefan Metzmacher
faa9c2374c r20974: add basic infrastructure for a DSDB replication service
not activated yet...

it will handle inbound pull replication and outbound change notification

metze
(This used to be commit 15eae968b8)
2007-10-10 14:44:06 -05:00
Stefan Metzmacher
eb7596e66b r20973: add functions to create the autocreated subSchema Attributes:
attributeTypes, objectClasses and dITContentRules

this is just a start and doesn't create anything useful yet...

metze
(This used to be commit 4c8b717092)
2007-10-10 14:44:06 -05:00
Stefan Metzmacher
6fda023f80 r20971: we don't need this check twice:-)
metze
(This used to be commit b7d48274a7)
2007-10-10 14:44:05 -05:00
Stefan Metzmacher
c84d8124b2 r20968: - add functions to sort the meta data and attribute arrays
- we should use them before we store records to disk

metze
(This used to be commit a5200ef0ca)
2007-10-10 14:44:04 -05:00
Stefan Metzmacher
a00bd47bfa r20957: a value of FF0000000000000000000000000000000000000000 isn't stored as schemaInfo
so we need to use it as value if nothing is stored

metze
(This used to be commit cd32613407)
2007-10-10 14:44:02 -05:00
Stefan Metzmacher
bf86c27440 r20923: only allow extended operations for SYSTEM or administrators for now
metze
(This used to be commit f062f09fbf)
2007-10-10 14:43:53 -05:00
Stefan Metzmacher
21cf5c82a2 r20921: - only give password attributes to the SYSTEM account
- but SYSTEM and administrators can change them

metze
(This used to be commit fc5319e927)
2007-10-10 14:43:52 -05:00
Stefan Metzmacher
8309f2c35b r20909: add a module that implements the LDAP_CONTROL_SHOW_DELETED_OID control
it hides objects with isDeleted=TRUE by default, and let them through
if the control is present

metze
(This used to be commit 7108d62cb0)
2007-10-10 14:43:51 -05:00
Stefan Metzmacher
89278a1469 r20906: allow LDAP simple binds using the following syntaxes in the DN field:
CN=Administrator,CN=Users,DC=w2k3,DC=vmnet1,DC=vm,DC=base
Administrator@W2K3
W2K3\Administrator
w2k3.vmnet1.vm.base/Users/Administrator

w2k3 also allows this (and maybe more...?)

metze
(This used to be commit 40c27ef88d)
2007-10-10 14:43:50 -05:00
Stefan Metzmacher
c2e492ece3 r20902: don't crash if the object isn't there yet
metze
(This used to be commit 4588e2522b)
2007-10-10 14:43:50 -05:00
Stefan Metzmacher
3e523582ea r20871: implement the validFSMOs constructed attribute on the rootdse
for the schema, domain naming and pdc fsmo roles

infrastructure and rid manager will be added later,
when we have module for them

metze
(This used to be commit 308f9cf822)
2007-10-10 14:43:43 -05:00
Stefan Metzmacher
301129f6de r20870: implement the constructed attributes dsSchemaAttrCount,
dsSchemaClassCount and dsSchemaPrefixCount on the rootdse

having a loaded dsdb_schema make things so easy...:-)

metze
(This used to be commit 7862fcdbb5)
2007-10-10 14:43:43 -05:00
Stefan Metzmacher
cc6c3eb38c r20867: add modules to handle the domain naming and the pdc FSMO Roles
metze
(This used to be commit 341fae8e84)
2007-10-10 14:43:42 -05:00
Stefan Metzmacher
aa2439da35 r20866: - fix debug messages missing new lines
- use LDB_DEBUG_WARNING in some places
- debug if we're the schema master

metze
(This used to be commit 63f4634443)
2007-10-10 14:43:42 -05:00
Stefan Metzmacher
bd46898e69 r20864: move common stuff into an extra function
metze
(This used to be commit 3f441741a6)
2007-10-10 14:43:41 -05:00
Stefan Metzmacher
2a7cbb2c53 r20863: check that there's a current partition control attached to the request
metze
(This used to be commit b1377a2e24)
2007-10-10 14:43:41 -05:00
Stefan Metzmacher
1500cd79d9 r20855: pass the DSDB_CONTROL_CURRENT_PARTITION_OID control also for the
send_all case

metze
(This used to be commit b3fce383d3)
2007-10-10 14:43:40 -05:00
Stefan Metzmacher
f58e49ade8 r20853: attach the DSDB_CONTROL_CURRENT_PARTITION_OID control when requests
are passed to a specific partition

metze
(This used to be commit 06a46b1db4)
2007-10-10 14:43:40 -05:00
Stefan Metzmacher
a35a071fc9 r20849: first step to move away from using find_backend() and use find_partition()
instead

metze
(This used to be commit 0d75cca6f3)
2007-10-10 14:43:39 -05:00
Stefan Metzmacher
7730ff44af r20847: - split some code out into a new function find_partition()
- make all functions static

metze
(This used to be commit 3d313f08c7)
2007-10-10 14:43:39 -05:00
Stefan Metzmacher
21206f36c6 r20826: make the dsdb_control_current_partition struct public and allocate an oid for the
control

metze
(This used to be commit 684eee52e8)
2007-10-10 14:43:37 -05:00