IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
If we find that the backlink should not be visible on the given objectClass
by default, we now set DSDB_RMD_FLAG_HIDDEN_BL.
We'll evaluate that in the next commits in order to hide the
backlink by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We first create source_dn as trimmed down copy of bl->forward_dn
and then only use it for debug messages.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Backlink attributes which are not "allowed" in objectClass 'top'
are always possible, but only visible by default based on the
real objectClass.
In order to avoid pay the cost for finding out if a backlink
should be visible or not, we remember a 'bool bl_maybe_invisible'
both on the forward link as well as the backlink dsdb_attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
msDS-KeyCredentialLink/msDS-KeyCredentialLink-BL are defined as linked attribute pair,
but msDS-KeyCredentialLink-BL is not defined as allowed on any object class definition,
still it's possible to create msDS-KeyCredentialLink attributes.
msDS-KeyPrincipal/msDS-KeyPrincipalBL are also defined as linked attribute pair
and msDS-KeyPrincipalBL is only allowed on object class 'user', but it's possible
to create msDS-KeyPrincipal values pointing to non 'user' objects.
The result is that 'user' objects have a visible msDS-KeyPrincipalBL, but
the others don't have msDS-KeyPrincipalBL visible, by default.
The backlinks are always visible if the backlink attributes are
explicitly requested.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The tests don't require an organizationalUnit as parent object
and it makes it possible to create msDS-KeyCredential objects
within the container in the next step.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Lots of the autobuild.py log outputs are really debugging, so should be
controlled as such.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This is currently unused as we don't support more than one
domain per forest, but it will help it future.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 22 23:05:39 UTC 2023 on atb-devel-224
With the default of base_schema=2019 we'll adprep to 2016.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We don't support anything higher than 2008_R2 in Samba, but
it's possible to run this against a remove server too.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We need to make sure a new provision as well as dbcheck
--reset-well-known-acls include acls used by adprep 2016,
otherwise we would undo the adprep result.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
I implemented them by looking at
source4/setup/adprep/WindowsServerDocs/Domain-Wide-Updates.md.unused
and looking at a network capture where a Windows 2022 joins an
Windows 2008R2 domain.
The strange thing is that Windows (tested with server 2022) uses
c81fc9cc-0130-f4d1-b272-634d74818133 for update 83, while
Domain-Wide-Updates.md and a fresh installation use
c81fc9cc-0130-4fd1-b272-634d74818133. In order to match a fresh
installation we use c81fc9cc-0130-4fd1-b272-634d74818133.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It means we apply updates from 11-142 and list
all known updates. It turns out that update 53 is actually
update 54...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We have Domain-Wide-Updates.md and Read-Only-Domain-Controller-Updates.md only
for completeness, they are not parsed/used yet, so we added .unused in
order to avoid confusion in future.
Initially I tried to go with an ms_domain_updates_markdown.py,
but it is easier to add the current updates by hand to
domain_update.py, which will follow in the next commits.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We don't allow MODRDN and DELETE for now as they
don't work as is anyway. We'll add these in the next steps.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is needed in order to process schema updates.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
There's only a single domainDNS object in a domain and it's
the partition base object...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
samDomain is an auxiliary class of domainDNS, so we'll handle them
in the search for domainDNS anyway. In addition searches for auxiliary
classes will never be found in searches.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Updates to domainDNS objects are done by the domain updates.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
They are used in newer schema uprades from Microsoft.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
'changetype: delete' is used to delete a whole object!
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
'changetype: delete' is used to delete a whole object!
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This makes sure that we detect if dbcheck --reset-well-known-acls
tries to reset to unexpected values, which we expect to currect in
recent provisions.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This allows us to pass the new tests we just added.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These demonstrate how inherited aces are constructed and applies
per objectclass, with and without the NO_PROPAGATE_INHERIT flag.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We need SEC_STD_DELETE in order to run the test twice against the same server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
