IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The key here is that while this never was an issue for builtin schema,
nor for objects with an msDS-IntID used outside the schema partition,
additional attributes added and used in the schema partition were
incorrectly using the wrong attributeID value in the replPropertyMetaData.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11783
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Mar 13 23:29:14 CET 2016 on sn-devel-144
This is only available in python 2.7 and >= 3.1
This should fix make test with python 2.6.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We saw a lot of flapping tests with:
[1793(11038)/1892 at 1h55m26s]
samba4.ldap.notification.python(ad_dc_ntvfs)(ad_dc_ntvfs)
UNEXPECTED(failure):
samba4.ldap.notification.python(ad_dc_ntvfs).__main__.LDAPNotificationTest.test_max_search(ad_dc_ntvfs)
REASON: Exception: Exception: Traceback (most recent call last):
File
"/memdisk/autobuild/fl/b1782183/samba/source4/dsdb/tests/python/notification.py",
line 181, in test_max_search
self.assertEquals(num, ERR_TIME_LIMIT_EXCEEDED)
AssertionError: 11 != 3
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The attribute is added to the search request, then peeled off again
before the sort module passes the results on.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
The tests are repeated twice: once properly with complex Unicode
strings, and again in a simplified ASCII subset. We only expect Samba
to pass the simplified version. The hard tests are aspirational and
show what Active Directory does.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
The sort order for this function is more expected than the sort order for
ldb_comparsion_binary()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
We must, when dealing with custom schema, respect the msDC-IntId value recorded
in the schema. If we do not, then we will create multiple replPropertyMetaData
records for the one attribute. This may cause confusion during replication.
This fixes the issue by always calling dsdb_attribute_get_attid() to obtain
the correct local (32 bit integer) attribute ID
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11443
This object is not based on pytalloc_Object and so this causes
a segfault (later a failure) when the struct definitions diverge.
We must also not reuse the incoming ldb_message_element as a talloc
context and overwrite the values, instead we should create a new
object and return that.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
The following warning/error is reported:
[1891/4034] Compiling source4/dsdb/samdb/ldb_modules/dsdb_notification.c
cc1: warnings being treated as errors
../source4/dsdb/samdb/ldb_modules/dsdb_notification.c: In function 'dsdb_notification_filter_search':
../source4/dsdb/samdb/ldb_modules/dsdb_notification.c:192: error: value computed is not used
Waf: Leaving directory `/memdisk/autobuild/fl/b300949/samba/bin'
Build failed: -> task failed (err #1):
{task: cc dsdb_notification.c -> dsdb_notification_84.o}
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This means our LDAP server will support LDB_CONTROL_NOTIFICATION_OID now.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This adds a simple implementation of LDB_CONTROL_NOTIFICATION_OID.
It requires caller (the ldap server task) to retry the request peridically,
using the same ldb_control structure in order to get some progress and
the never ending search behaviour an LDAP client expects.
For now we remember the known_usn in a cookie stored
in the otherwise unused ldb_control->data fielf
and we do a simple search using (uSNChanged>=${known_usn}+1).
In future we may do things based on the uSNChanged value.
for (i = old_highest + 1; i <= current_highest; i) {
search for (uSNChanged=i)
}
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This still leaves modifies(), but that's a task for another day.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This should result in LDAP_UNWILLING_TO_PERFORM/WERR_DS_INVALID_LDAP_DISPLAY_NAME,
so better use a useful value without spaces.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
When trying to change the password with kpasswd, the KDC returns
"Unspecified password quality failure". Because we do not get the ldb
error which is e.g.: password is too young to change!
This way at least the admin can find out what is going on.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Feb 2 11:49:51 CET 2016 on sn-devel-144
add dependency that fixes ldbsearch panic due to conflict -
function read_data() is implemented both by libtspi.so.1, which
is a dependency of gnutls on FC22, and by an internal samba
shared lib.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Sat Jan 23 00:06:59 CET 2016 on sn-devel-144
In order for the recursive search module to work, we first
must stop asserting that any extended match rule is a DN (to be modified
per the extended DN munging), as this is not the case for this particular rule.
This reverts commit 8cacd5b8113fa30fb4ccaaf3193839660feb285f.
Signed-off-by: Adrian Cochrane <adrianc@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 14 04:54:26 CET 2016 on sn-devel-144
This is necessary because it has public headers.
Signed-off-by: Jelmer Vernooij <jelmer@jelmer.uk>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Wed Jan 13 07:47:04 CET 2016 on sn-devel-144
We fail on these ones, and it isn't immediately obvious why. Windows
also fails on *most* of them, but succeeds on "::ffff:0:0" which is a
bit strange but there you go.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Dec 24 07:16:25 CET 2015 on sn-devel-144
A subnet name needs to be a valid CIDR address range -- that's the
ones that look like 10.9.8.0/22, where the number after the /
determines how many bits are in the address suffix. It can be IPv4 or
IPv6. There are a few odd constraints (see MS-ADTS v20150630
6.1.1.2.2.2.1 "Subnet Object") -- for example, with IPv4, the implied
bit mask can't equal the address. That is, you can't have a subnet
named "255.255.255.0/24" in a Windows subnet. This rule does not apply
to IPv6.
Windows and Samba both make some ensure that subnets have a unique
valid name, though unfortunately Windows 2008R2 is rather slack when
it comes to IPv6. We follow Windows 2012R2, which roughly follows
RFC5952 -- with one caveat: Windows will allow an address like
"::ffff:0:1:2", which translates to the IPv4 address "0.1.0.2" using
the SIIT translation scheme, and which inet_ntop() would render as
"::ffff:0:0.1.0.2". In the Samba implementation we use an inet_pton()/
inet_ntop() round-trip to establish canonicality, so these addresses
fail. Windows wisely does not allow the SIIT style addresses (the
acronym is widely agreed to be off-by-one in the second letter), and
it will regard "::ffff:0:1:2" as simply "::ffff:0:1:2" and allow it.
We would like to do that too.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This allows you to add, remove, or shift subnets.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These are atomic anyway.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The delete test deleted the site made by the create test, which worked
because "delete" sorts after "create" alphabetically. By themselves,
"delete" would fail and "create" would neglect its duty to clean up.
This would be an issue if the order of tests changes, if one of the
tests is not run, or if another test appears in between. Everything is
fine if they give up the pretense of independence.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These will need to be handled later, but probably via reading the cross-ref objects.
This avoids total failure when cloning a DC that has
subdomains.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Swapping between account types is now restricted
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11552
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Dec 16 16:03:18 CET 2015 on sn-devel-104
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Tue Dec 15 03:17:52 CET 2015 on sn-devel-104
lastLogon is supposed to be updated for every interactive or kerberos
login, and (according to testing against Windows2012r2) when the bad
password count is non-zero but the lockout time is zero. It is not
replicated.
lastLogonTimestamp is updated if the old value is more than 14 -
random.choice([0, 1, 2, 3, 4, 5]) days old, and it is replicated. The
14 in this calculation is the default, stored as
"msDS-LogonTimeSyncInterval", which we offer no interface for
changing.
The authsam_zero_bad_pwd_count() function is a convenient place to
update these values, as it is called upon a successful logon however
that logon is performed. That makes the function's name inaccurate, so
we rename it authsam_logon_success_accounting(). It also needs to be
told whet5her the login is interactive.
The password_lockout tests are extended to test lastLogon and
lasLogonTimestamp.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
In a few places where a login should fail in a particular way, an
actual login success would not have triggered a test failure -- only
the wrong kind of login failure was caught.
This makes a helper function to deal with them all.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Nov 6 13:43:45 CET 2015 on sn-devel-104
This shows the correct way to accept a value that may be a list of strings
or a proper ldb.MessageElement.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
We should never get a secret from a server when we specify DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING
This asserts that this is the case.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
LDB_SCOPE_BASE is 0, so this works, but the corresponding parameter
is "struct ldb_control **controls", so I'd say NULL is more appropriate
here. Fixes a warning I just saw pass by.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Unknown attributeID values would cause an exception previously, and
unsorted attributes cause a failure to replicate with Samba 4.2.
In commit 61b978872fe86906611f64430b2608f5e7ea7ad8 we started
to sort these values correctly, but previous versions of Samba
did not sort them correctly (we sorted high-bit-set values as
negative), and then after 9c9df40220234cba973e84b4985d90da1334a1d1
we stoped accepting these.
To ensure we are allowed to make this unusual change to the
replPropertyMetaData, a new OID is allocated and checked
for in repl_meta_data.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10973
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>