IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The biggest change consists in the implementation of the Windows Server
return size formula MIN(*r->out.num_entries, 1+(r->in.max_size/SAMR_ENUM_USERS_MULTIPLIER).
Windows 2000 does strictly request header signing on some requests also if the
server doesn't provide it. But there is a small trick (don't reset the actual
session info) to make these special RPC operations work without a full header
signing implementation.
This fixes for example the list of domain groups in local groups when displayed
sing the local user/group management tool.
And this should finally fix bug #7113.
The patch was inspired by another one by tridge and abartlet: http://gitweb.samba.org/samba.git/?p=tridge/samba.git;a=commitdiff;h=2dc19e2878371264606575d3fc09176776be7729
"size_t" counters aren't really needed here (we don't check data lengths).
And we save the result in a certain "num_sids" variable which is of type
"unsigned".
This is a rewrite of the lookup_rids code, using a query based on the
extended DN for a clearer interface.
By splitting this out, the logic is able to be shared, rather than
copied, into a passdb wrapper.
Andrew Bartlett
This is a rewrite of the group membership lookup code, using the
stored extended DNs to avoid doing the lookup into each member to find
the SID
By splitting this out, the logic is able to be shared, rather than
copied, into a passdb wrapper.
Andrew Bartlett
Adapt the two functions for the restructured "password_hash" module. This
means that basically all checks are now performed in the mentioned module.
An exception consists in the SAMR password change calls since they need very
precise NTSTATUS return codes on wrong constraints ("samr_password.c") file
w2k8r2 returns the local DC information on no inputs for
getDcNameEx2. This is needed for starting dsa.msc (ADUC) on
Win7.
CDLAP on the same call returns an error. This uses a parameter
fill_on_blank_request to distinguish the two cases.
When we aren't a DC we shouldn't have the netlogon pipe available.
[MS-NRPC 1.3] says that we can only have DCs on the server side.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This implementation checks if the domainname is valid for us or a trusted domain.
Then I've also added the PDC location functionality. That means that we should
return "WERR_NO_SUCH_DOMAIN" (MS-NRPC 3.5.5.2.5).
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This checks whether a replication client is a RODC by inclusion of the
the DOMAIN_RID_ENTERPRISE_READONLY_DCS sid in the users token
Pair-Programmed-With: Rusty Russell <rusty@samba.org>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This is used for allowing operations by RODCs, and denying them
operations that should only be allowed for a full DC
This required a new domain_sid argument to
security_session_user_level()
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Rusty Russell <rusty@samba.org>
Non-administrator replication checks the invocationId matches
the sid of the user token being used
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
During building an object to send it on a GetNCChanges reply, it checks
the attributes and if any of them is a RODC filtered and the recipient
is a RODC, then such attribute is not sent.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This patch creates the samdb_is_rodc() function, which looks for
the NTDSDSA object for a DC that has a specific invocationId
and if msDS-isRODC is present on such object and it is TRUE, then
consider the DC as a RODC.
The new samdb_rodc() function uses the samdb_is_rodc() function
for the local server.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This should always return a simple structure with no need to consult a
DB, so remove the event context, and simplfy to call helper functions
that don't look at privilages.
Andrew Bartlett
This isn't needed at all since:
1.) a new name object is created and sent back to the client
2.) the "size" seems to be the size of the "name" pointer. On my test with the
"regedt32" program this has always been "4".
This choses an appropriate talloc context to attach the schema too,
long enough lived to ensure it does not go away before the operation
compleates.
Andrew Bartlett
The replPropertyMetaData may contain attrid values that we don't yet
have in the local schema. We need to deal with this - it is a serious
error, but we should not segfault.
Andrew Bartlett
r->out.total_entries = 0; should be *r->out.total_entries = 0;
Otherwise we fail to marshall the reponse or crash if we run with
log level = 10 and trigger the ndr_print functions.
All out elements are already setup and initialized by the pidl generated code.
metze
Here it doesn't matter, but it's a bad example for other code
as it might reset the [out,ref] pointers which are already
generated by the pidl generated code.
metze
Make the resultcodes consistent: that means:
result < 0 -> NT_STATUS_INTERNAL_DB_CORRUPTION since our DB had a critical
error
result >= 0 -> depends on the function usage. I tried to let the logic always as
it was before.
The "count" size specifiers I typed "uint32_t" since they're often returned as
an "uint32_t" (consider the IDL file). LDB counters need to be "signed" if they
count till a limit of a "gendb*" call or "unsigned" if they count directly the
number of objects.
The "count" size specifiers I typed "uint32_t" since they're often returned as
an "uint32_t" (consider the IDL file). LDB counters need to be "signed" if they
count till a limit of a "gendb*" call or "unsigned" if they count directly the
number of objects.
Previous commit was incomplete. The "service" parameter in the "tcon" structure
should point to "scfg->name". I'm not sure if "share" is right but the first
was used before commit f390daef47.
This is needed since this particular "i" counts until "count" which itself is
signed. "count" is set through a signed integer variable parameter from the
"share_list_all" call.
Converting the sid to a string and then storing a string does not save the sid
in the right format. Causing following retrievals to fail to read back a sid
with samdb_result_dom_sid().
Do not use policy_state->sam_ldb and trusted_domain_state->policy->sam_ldb
interchangeably all over the place. Just use sam_ldb everywhere and make the
code slightly more readable.
After looking at the s4 side of the (s)channel :) I found out that it makes
more sense to simply make it use the tdb based code than redo the same changes
done to s3 to simplify the interface.
Ldb is slow, to the point it needs haks to pre-open the db to speed it up, yet
that does not solve the lookup speed, with ldb it is always going to be slower.
Looking through the history it is evident that the schannel database doesn't
really need greate expanadability. And lookups are always done with a single
Key. This seem a perfet fit for tdb while ldb looks unnecessarily complicated.
The schannel database is not really a persistent one. It can be discared during
an upgrade without causing any real issue. all it contains is temproary session
data.
Make the initial schannel check logic more understandable.
Make it easy to define different policies depending on the caller's
security requirements (Integrity/Privacy/Both/None)
This is the same change applied to s3
Simo, I'm not really sure that those checks are valid. I read MS-NRPC section
3.5.4.1 about LOGONSRV_HANDLEs ("server_name" is of this type). There isn't
stated that the server name has necessarily to be in the DNS form and should
also be valid when it's NULL (if DCE server and client are the same - I don't
know if me make use of it in s4).
Actually return trust relationships by searching the appropriate
entries in the SAM database.
Add checks and return the correct flags, type and attributes.
This allows the interface version to be forwarded to the remote server
in the RPC proxy, both in the endpoint lookup and the subsequent bind.
Andrew Bartlett
By recording the association group the remote server assigned to our
proxied RPC connection, we can ensure we use the same value when the
client wishes to use it.
This isn't stored in a private pointer, as mapiproxy will want to use
this feature too.
Andrew Bartlett
The recent dcerpc padding changes made our padding relative to the
packet header, instead of the start of the stub. Surprisingly, this
broke w2k8r2 doing a dcpromo join to a s4 server. It seems that w2k8r2
is very fussy about the padding it gets in some circumstances.
Cope with a wider range of auth padding in dcerpc bind_ack and
alter_context packets. We now use a helper function that calculates
the right auth padding.
This should return NT_STATUS_INVALID_PARAMETER.
This makes samba pass the first part of the samr-lockout test.
This constraint is documented here for the samr server:
http://msdn.microsoft.com/en-us/library/cc245667%28PROT.10%29.aspx
MS-SAMR 3.1.1.6 Attribute Constraints for Originating Updates
and here for the ldap backend:
http://msdn.microsoft.com/en-us/library/cc223462(PROT.10).aspx
MS-ADTS 3.1.1.5.3.2 Constraints
So the check should actually be moved down into the backend,
i.e. under dsdb/samdb/ldb_modules - TODO..
Michael
The documentation shows that all these functions in fact use the same
flags variable type. To be consistent between functions, and to allow
easy reference to the WSPP docs, it is better for us to also use this
generic DrsOptions bitfield rather than one per operations.
This patch includes the framework for the implementation of all infoTypes of
the DsGetReplInfo() call, and includes the implementation for the first one,
the DS_REPL_INFO_NEIGHBORS.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
When a client supplied an uptodateness_vector, we can use it to filter
what objects we return. This greatly reduces the amount of replication
traffic between DCs.
In general functions that don't return any memory should not take a memory context.
Otherwise it is too easy to have a bug like this where memory is leaked
When windows abandons a DRS sync, it will sometimes re-use the same bind handle for
a new sync. This means we need to check the DN of the sync and blank the getnc_state
if the DN has changed.
This also fixes the UDV to use the highest uSN for the partition, not for
the whole SAM.
This reverts commit 87b6f2e863.
This was the cause of the breakage of the "LogonGetDomainInfo" testsuite. I
think my behaviour is more correct to Windows Server since the test works
against it (at least release 2003 R2).
One problem I discovered is that freshly joined workstations don't get their
DNS name into the directory. Therefore I think also another part (maybe another
RPC call) is able to do this.
This allows us to reuse a ldb context if it is open twice, instead
of going through the expensive process of a full ldb open. We can
reuse it if all of the parameters are the same.
The change relies on callers using talloc_unlink() or free of a parent
to close a ldb context.
This patch adds a system_session cache, preventing us from having to
recreate it on every ldb open, and allowing us to detect when the same
session is being used in ldb_wrap
We were storing privileges in the sam, which was OK when we were a
standalone DC, but is no good when we replicate with a windows DC.
This moves the privileges to a separate (local) database
I don't think that this code needs to exist identically on the server and on the
client side. This patch leaves it on the client side (dcerpc lib) and calls it
from the server.
The DRSUAPI_DRS_ADD_REF flag tells the DRS server to run an UpdateRefs
call on behalf of the client after the DsGetNCChanges call. The lack
of support for this option may explain why the repsTo attribute was
not being created for w2k8-r2 replication partners.
The DsUpdateRefs calls takes a set of flags that indicates if the
server should ignore specific add/delete error codes.
This patch also exposes the core UpdateRefs call into a public
function, so that it can be called from DsGetNCChanges
For KERBEROS applications the realm should be upcase (function "lp_realm") but
for DNS ones it should be used lowcase (function "lp_dnsdomain"). This patch
implements the use of both in the right way.
In this code part under certain circumstances we can end up with an empty message.
Since our new behaviour denies them (like the real AD) we need to bypass them
on LDB modify calls.
When we indicate that a getncchanges request is not complete, we set
the more_data flag to true in the response. The client usually then
asks for the next block of data. If the client decides it wants to
skip that replication and do a different replication then we need to
make sure that the next call is in fact a continuation of the existing
call, and not a new call.
This relies on returning the results sorted by uSNChanged, as the
client uses the tmp_highest_usn in each result to see if progress is
being made.
In the srvsvc code for s4 (NTVFS module) there exists a call to "ntvfs_connect"
which is performed with a totally wrong argument. Since I'm not able to fix
this, I commented it out and added a "FIXME" comment.
- always fetch parentGUID from databases, don't rely on parentGUID in
attributes
- re-fetch nc root mesages to avoid the problem of dual messages for
roots
- support returning messages a chunk at a time, using max_object_count
from request
When this flag is specified in the request these attributes are treated as
secret: currentValue, dBCSPwd, initialAuthIncoming, initialAuthOutgoing,
lmPwdHistory, ntPwdHistory, priorValue, supplementalCredentials,
trustAuthIncoming, trustAuthOutgoing, unicodePwd
Their value is changed to NULL and the meta_data.originating_change_time to 0
In DsGetNCChanges we need to fill in the parentGUID and objectGUID of
each object, plus we need to filter out the rDN from the meta data,
and always send the instanceType
This supports shared RPC handles across connections on all RPC
interfaces.
It turns out that w2k3 and w2k8 don't actually support this on all
pipes. We need to test which pipes we should enable this on.
This patch allows us to share association groups and their rpc handles
between connections. This is needed for some DRSUAPI behaviour when
recent windows clients connect.
Testing against NetAPP showed that clients can object to being told a
larger max xmit fragment size than they negotiated. Choose the
minimum of the server and client values.
Andrew Bartlett
dcesrv_irpc_forward_rpc_call() can be used to forward an arbitrary RPC
request to another task in Samba4, with the return being handled
asynchronously.
This is useful for forwarding DRS requests to the repl or kcc tasks
When the client tells us the highest_usn they have is N, then we want
to send them objects with usn>N, not>=N, as otherwise we end up
sending them the same object (the one with the highest uSN) again and
again.
