1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

25267 Commits

Author SHA1 Message Date
Michael Adam
4c6e9662b8 dssync keytab: add comment header explaining add_to_keytab_entries().
Michael
(This used to be commit 1072bd9f96)
2008-08-01 17:09:08 +02:00
Michael Adam
a5d4b540e2 libnet dssync: add my C after dssync keytab changes.
Michael
(This used to be commit 9391aec8d4)
2008-08-01 16:08:00 +02:00
Michael Adam
7f3495726f vampire keytab: add command line switch --clean-old-entries .
This allows to control cleaning the keytab.
It will only clean old occurences of keys that are replicated in
this run. So if you want to ensure things are cleaned up, combine
this switch with --force-full-repl or --single-obj-repl (+dn list).

Michael
(This used to be commit 21385e1c63)
2008-08-01 16:08:00 +02:00
Michael Adam
10225fbef7 dssync: add clean_old_entries flag to dssync_ctx.
Initialize it to false.
And pass it down to the libnet_keytab context in
libnet_dssync_keytab.c:keytab_startup().

Unused yet.

Michael

Note: This might not be not 100% clean design to put this into the
toplevel dssync context while it is keytab specific. But then, on the
other hand, other imaginable backends might want to use this flag, too...
(This used to be commit 12e884f227)
2008-08-01 16:08:00 +02:00
Michael Adam
52fee9c87a libnet keytab: implement cleaning of old entries in libnet_keytab_add().
Triggered by the flag clean_old_entries from the libnet_keytab_contex
(unused yet...).

Michael
(This used to be commit a5f4e3ad95)
2008-08-01 16:07:59 +02:00
Michael Adam
8876d79311 libnet keytab: add parameter ingnore_kvno to libnet_keytab_remove_entries()
to allow for removing all entries with given principal and enctype without
repecting the kvno (i.e. cleaning "old" entries...)

This is called with ignore_kvno == false from libnet_keytab_add_entry() to
keep the original behaviour.

Michael
(This used to be commit 6047f7b685)
2008-08-01 16:07:59 +02:00
Michael Adam
18573c3e1f libnet keytab: add flag clean_old_entries to libnet_keytab_context.
Michael
(This used to be commit f40eb8cc20)
2008-08-01 16:07:59 +02:00
Michael Adam
134d8319c9 libnet keytab: use proper counter type (uint32_t) in libnet_keytab_add().
Michael
(This used to be commit d0bd9195f0)
2008-08-01 16:07:59 +02:00
Michael Adam
03b6502dc6 vampire keytab: introduce switch --single-obj-repl.
This controls whether single object replication is to be used.
This only has an effect when at least one object dn is given
on the commandline.

NOTE: Now the default is to use normal replication with uptodateness
vectors and use object dns given on the command line as a positive
write filter. Single object replication is only performed when this
new switch is specified.

Michael
(This used to be commit 0f81111ea8)
2008-08-01 16:07:59 +02:00
Michael Adam
efd89b46d6 dssync keytab: when not in single object replication mode, use object dn list as write filter.
I.e. only the passwords and keys of those objects whose dns are provided
are written to the keytab file. Others are skippded.

Michael
(This used to be commit a013f926ae)
2008-08-01 16:07:58 +02:00
Michael Adam
982759357f dssync keytab: support storing kerberos keys from supplemental credentials.
Michael
(This used to be commit 50b1673289)
2008-08-01 16:07:58 +02:00
Michael Adam
9d12511e45 libnet dssync: rename flag single to single_object_replication
So that it is more obvious what this controls.

Michael
(This used to be commit 2360f0a19f)
2008-08-01 16:07:58 +02:00
Michael Adam
5330164ec4 net rpc vampire: rename --repl-nodiff to --force-full-repl.
This more clear.

Michael
(This used to be commit 0ddde9aae8)
2008-08-01 16:07:58 +02:00
Michael Adam
072bd87194 libnet dssync: rename repl_nodiff flag to force_full_replication.
Michael
(This used to be commit ec959b4609)
2008-08-01 16:07:05 +02:00
Michael Adam
f060b744ef libnet dssync: support lists of dns (instead of one dn) for single object replication.
Just specify several DNs separated by spaces on the command line of
"net rpc vampire keytab" to get the passwords for each of these
accouns via single object replication.

Michael
(This used to be commit 6e53dc2db8)
2008-08-01 16:07:04 +02:00
Michael Adam
ab5a6712b6 libnet dssync: move determination of request level into build_request()
...where it belongs.

Michael
(This used to be commit 012b33f1c5)
2008-08-01 16:07:04 +02:00
Michael Adam
89d817386c libnet dssync: refactor dsgetncchanges loop out into libnet_dssync_getncchanges().
Michael
(This used to be commit 93cda1aa0a)
2008-08-01 16:07:04 +02:00
Michael Adam
0099c4b0c7 libnet dssync: fix single object replication by adding one check.
Before, this used the old uptodate vector in the request...

Michael
(This used to be commit 04fb9322d5)
2008-08-01 16:07:04 +02:00
Michael Adam
9e1eccc911 libnet dssync: simplify logic of libnet_dssync_process() main loop.
Untangle parsing of results and processing.
Make loop logic more obvious.
Call finishing operation after the loop, not inside.

Michael
(This used to be commit 47c8b3391c)
2008-08-01 16:07:04 +02:00
Michael Adam
58e0b8d568 libnet dssync: refactor creation of request out into new function
libnet_dssync_build_request().

Michael
(This used to be commit d745c1af40)
2008-08-01 16:07:04 +02:00
Michael Adam
c655e295ef vampire keytab: add switch --repl-nodiff to trigger full replication.
I.e. replication without keeping track of the up to date vector.

Michael
(This used to be commit d4b36e447b)
2008-08-01 16:07:04 +02:00
Michael Adam
260bbf13d2 dssync keytab: store the samaccountname in the keytab for diff replication.
When retreiving a diff replication, the sAMAccountName attribute is usually
not replicated. So in order to build the principle, we need to store the
sAMAccounName in the keytab, referenced  by the DN of the object, so that
it can be retrieved if necessary.

It is stored in the form of SAMACCOUNTNAME/object_dn@dns_domain_name
with kvno=0 and ENCTYPE_NONE.

Michael
(This used to be commit 54e2dc1f4e)
2008-08-01 16:04:43 +02:00
Michael Adam
f6bc42d80c dssync keytab: move handling of removal of duplicates to libnet_keytab_add_entry().
This makes libnet_keytab_remove_entries static and moves it up.
libnet_keytab_add_entry() now removes the duplicates in advance.
No special handling neede for the UTDV - this is also needed
for other entries...

Michael
(This used to be commit 3c46374544)
2008-08-01 16:04:43 +02:00
Michael Adam
a6e5a5d714 libnet_keytab: add some debug statements to libnet_keytab_search().
Michael
(This used to be commit d3354c3516)
2008-08-01 16:04:43 +02:00
Michael Adam
e1fee8ca6d dssync keytab: store the UpToDate vector with ENCTYPE_NULL.
Michael
(This used to be commit 9fbc3d4903)
2008-08-01 16:04:43 +02:00
Michael Adam
ea8129b5f0 libnet keytab: use libnet_keytab_add_entry() in libnet_keytab_add().
This will in particular allow us to store ENCTYPE_NULL.

Michael
(This used to be commit 85c7e3ae29)
2008-08-01 16:04:43 +02:00
Michael Adam
ca0cbabd36 libnet keytab: add function libnet_keytab_add_entry()
This is a stripped down version of smb_krb5_kt_add_entry() that
takes one explicit enctype instead of an array. And it does
not neither salting of keys nor cleanup of old entries.

Michael
(This used to be commit c83e54f1eb)
2008-08-01 16:04:43 +02:00
Michael Adam
d74f57826a dssync keytab: log the DN of the object to be parsed.
For debugging purposes.

Michael
(This used to be commit 6913919e3a)
2008-08-01 16:04:43 +02:00
Michael Adam
86f91a2ba1 dssync keytab: remove old UpToDateNess vectors from keytab before storing new one.
Michael
(This used to be commit 717bd6f6c3)
2008-08-01 16:04:42 +02:00
Michael Adam
7205dd5d12 libnet keytab: add function libnet_keytab_remove_entries().
This can be used to remove entries of given principal, kvno and enctype.

Michael
(This used to be commit a6f61c05b2)
2008-08-01 16:04:42 +02:00
Michael Adam
3fa9e5fdd4 libnet_keytab: cleanup libnet_keytab_search().
Michael
(This used to be commit 344428d96c)
2008-08-01 16:04:42 +02:00
Michael Adam
0f94a38580 libnet keytab: test for matching enctype in libnet_keytab_search().
Michael
(This used to be commit 484b35f319)
2008-08-01 16:04:42 +02:00
Michael Adam
31c67f939f dssync keytab: add parsing and logging of servicePrincipalName-s
As with the userPrincipalName, this is for debugging purposes only (for now..).

Michael
(This used to be commit 7a1d526cba)
2008-08-01 16:04:42 +02:00
Michael Adam
7d7e8907ca dssync keytab: fix comma placement in debug output
Michael
(This used to be commit d21ea83f93)
2008-08-01 16:04:42 +02:00
Michael Adam
8003c93a27 dssync keytab: add debugging output when skipping an object.
Michael
(This used to be commit f3c110097f)
2008-08-01 16:04:42 +02:00
Michael Adam
18976c0129 libnet keytab: add enctype parameter to libnet_keytab_search().
Not really used yet.

Note: callers use ENCTYPE_ARCFOUR_HMAC enctype for UTDV (for now).
This is what is currently stored. This is to be changed
to ENCTYPE_NULL.

Michael
(This used to be commit cb91d07413)
2008-08-01 16:04:42 +02:00
Michael Adam
363fd6e297 dssync keytab: add store enctypes in the libnet_keytype_entry structs.
Still unused by the libnet_keytab_add() function.
This will follow.
In preparation of supporting multiple encryption types in libnet_dssync_keytab.

Michael
(This used to be commit 447b8b1122)
2008-08-01 16:04:41 +02:00
Michael Adam
f97ba38c3f libnet_keytab: add enctype field to libnet_keytab_entry struct.
In preparation of supporting more enctyption types in libnet_dssync_keytab.

Michael
(This used to be commit 2b000a2acd)
2008-08-01 16:04:41 +02:00
Michael Adam
d42160f9de dssync: allow replications of a single obj with net rpc vampire keytab.
This is triggered by setting the new "single" flag in the dssync_context
and filling the "object_dn" member with the dn of the object to be
fetched.

This call is accomplished by specifying the DRSUAPI_EXOP_REPL_OBJ
extended operation in the DsGetNCCHanges request. This variant does
honor an up-to-date-ness vectore passed in, but the answer does not
return a new up-to-dateness vector.

Call this operation as "net rpc vampire keytab /path/keytab object_dn" .

Michael
(This used to be commit f4a01178a3)
2008-08-01 16:04:41 +02:00
Michael Adam
4d946b5932 dssync: pass uptodateness vector into and out of DsGetNCChanges request.
Also store the new uptodateness vector in the backend after completion
and retrieve the old vector before sending the DsGetNCChanges request.

This effectively accomplishes differential replication.

Michael
(This used to be commit a2a88808df)
2008-08-01 16:04:41 +02:00
Michael Adam
55791799b5 dssync: skip analysis of the msDS_KeyVersionNumber attribute:
It is a calculated attribute that won't get distributed via replication.

Michael
(This used to be commit d75b7a2052)
2008-08-01 16:04:41 +02:00
Michael Adam
26cceb8118 dssync: either use the req5 or the req8 request, depending on the supported_extenstion
that have been recorded in the remote_info28 in the dssync_context.

Michael
(This used to be commit 3a2a69137e)
2008-08-01 16:04:41 +02:00
Michael Adam
0f98b99483 dssync: record the bind info in the new remote_info28 in libnet_dssync_bind().
This extracts the info24 data in case this is what was returned (instead of info28).
E.g. windows 2000 returns info24.

Michael
(This used to be commit 61b41aa615)
2008-08-01 16:04:41 +02:00
Michael Adam
55b2d50926 dssync: add a drsuapi_DsBindInfo28 struct to the dssync_context struct
to keep track of what the server told us upon DsBind.

Michael
(This used to be commit bf17d6af61)
2008-08-01 16:04:40 +02:00
Michael Adam
9f6af6fe7c dssync keytab: wrap printing of the uptodate vector in DEBUGLEVEL >= 10 checks
Michael
(This used to be commit 7fabe2567d)
2008-08-01 16:04:40 +02:00
Michael Adam
0db26805da dssync keytab: add support for keeping track of the up-to-date-ness vector.
The startup operation should get the old up-to-date-ness vector from the backend
and the finish operation should store the new vector to the backend after replication.

This adds the change of the signatures of the operations ot the dssync_ops struct
and the implementation for the keytab ops. The up-to-date-ness vector is stored
under the principal constructed as UTDV/$naming_context_dn@$dns_domain_name.

The vector is still uninterpreted in libnet_dssync_process().
This will be the next step...

This code is essentially by Metze.

Michael
(This used to be commit 01318fb27a)
2008-08-01 16:04:40 +02:00
Michael Adam
54d6ae09e2 libnet_keytab: add a libnet_keytab_search() function
that searches and fetches an entry from a keytab file by principal and kvno.

This code is by metze.

Michael
(This used to be commit a51a60066b)
2008-08-01 16:04:40 +02:00
Michael Adam
7bd3ea0b6f dssync keytab: use add_to_keytab_entries() for pwd history in parse_object().
Michael
(This used to be commit 61f071de92)
2008-08-01 16:04:40 +02:00
Michael Adam
764691fdd1 dssync keytab: add prefix parameter to add_to_keytab_entries() for flexibility.
This will allow to construct principals of the form PREFIX/name@domain

Michael
(This used to be commit 7dd32b56a6)
2008-08-01 16:04:40 +02:00
Michael Adam
c1b9eb278f dssync keytab: add check for success of ADD_TO_ARRAY().
Michael
(This used to be commit e6f6e61da4)
2008-08-01 16:04:39 +02:00