IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This matches the windows behavior.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This will allow us to detect from the smb.conf if this is a Samba4 AD
DC which will allow smarter handling of (for example) accidentially
starting smbd rather than samba.
To cope with upgrades from existing Samba4 installs, 'domain
controller' is a synonym of 'active directory domain controller' and
new parameters 'classic primary domain controller' and 'classic backup
domain controller' are added.
Andrew Bartlett
When we are acting in the role of a PDC then please return it as status information.
Reviewed-by: Tridge
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Thu Jun 9 12:06:36 CEST 2011 on sn-devel-104
we shouldn't accept bad multi-byte strings, it just hides problems
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Thu Mar 24 01:47:26 CET 2011 on sn-devel-104
That means when calling "QueryDisplayInfo" on the BUILTIN handle we
still get all related domain objects - for example all domain (global
+ universal) groups. This is contrary to the "EnumDomain..." calls which
do really only return the objects in the specified domain policy handle.
This has been observed against Windows Server 2008 and confirmed by
dochelp.
In the same occasion I've converted from a "gendb*"-oriented search call to "dsdb_search".
Patch-reviewed-by: Andrew Tridgell <tridge@samba.org>
thi ensures we are using the header corresponding to the version of
ldb we're linking against. Otherwise we could use the system ldb for
link and the in-tree one for include
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
To prevent platform-dependant problems.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Jan 15 14:54:14 CET 2011 on sn-devel-104
- Remove TODO comment: MS-SAMR 3.1.5.8.7 explicitly states:
"The SamrRemoveMemberFromForeignDomain method removes a member from all
aliases."
- Remove the search attributes since they aren't strictly needed.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Nov 6 18:07:57 UTC 2010 on sn-devel-104
One pair are universal an global groups (on the SAMR pipe called "groups") and
the other one are the domain and builtin local groups (on the SAMR pipe called
"aliases").
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Mon Oct 25 19:37:27 UTC 2010 on sn-devel-104
All other "samdb_search_*" calls do have one - why "samdb_search_count" doesn't?
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Mon Oct 25 17:42:33 UTC 2010 on sn-devel-104
This reverts commit 8a2ce5c47c.
Jelmer pointed out that these are also in use by other LDB databases - not only
SAMDB ones.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 17 13:37:16 UTC 2010 on sn-devel-104
They're only in use by SAMDB code.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 17 09:40:13 UTC 2010 on sn-devel-104
We have ldb_msg_find_attr_as_* calls which do exactly the same. Therefore this
reduces only code redundancies.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
The biggest change consists in the implementation of the Windows Server
return size formula MIN(*r->out.num_entries, 1+(r->in.max_size/SAMR_ENUM_USERS_MULTIPLIER).
"size_t" counters aren't really needed here (we don't check data lengths).
And we save the result in a certain "num_sids" variable which is of type
"unsigned".
This is a rewrite of the lookup_rids code, using a query based on the
extended DN for a clearer interface.
By splitting this out, the logic is able to be shared, rather than
copied, into a passdb wrapper.
Andrew Bartlett
This is a rewrite of the group membership lookup code, using the
stored extended DNs to avoid doing the lookup into each member to find
the SID
By splitting this out, the logic is able to be shared, rather than
copied, into a passdb wrapper.
Andrew Bartlett
Adapt the two functions for the restructured "password_hash" module. This
means that basically all checks are now performed in the mentioned module.
An exception consists in the SAMR password change calls since they need very
precise NTSTATUS return codes on wrong constraints ("samr_password.c") file
The "count" size specifiers I typed "uint32_t" since they're often returned as
an "uint32_t" (consider the IDL file). LDB counters need to be "signed" if they
count till a limit of a "gendb*" call or "unsigned" if they count directly the
number of objects.
This should return NT_STATUS_INVALID_PARAMETER.
This makes samba pass the first part of the samr-lockout test.
This constraint is documented here for the samr server:
http://msdn.microsoft.com/en-us/library/cc245667%28PROT.10%29.aspx
MS-SAMR 3.1.1.6 Attribute Constraints for Originating Updates
and here for the ldap backend:
http://msdn.microsoft.com/en-us/library/cc223462(PROT.10).aspx
MS-ADTS 3.1.1.5.3.2 Constraints
So the check should actually be moved down into the backend,
i.e. under dsdb/samdb/ldb_modules - TODO..
Michael
In general functions that don't return any memory should not take a memory context.
Otherwise it is too easy to have a bug like this where memory is leaked
This allows us to reuse a ldb context if it is open twice, instead
of going through the expensive process of a full ldb open. We can
reuse it if all of the parameters are the same.
The change relies on callers using talloc_unlink() or free of a parent
to close a ldb context.
This patch adds a system_session cache, preventing us from having to
recreate it on every ldb open, and allowing us to detect when the same
session is being used in ldb_wrap
In this code part under certain circumstances we can end up with an empty message.
Since our new behaviour denies them (like the real AD) we need to bypass them
on LDB modify calls.
When doing some tests with the NT User Manager for Domains on s4 I noticed that the
handling of the primary group for a user wasn't correct. So I fixed this.
Also some cosmetic changes (tab indent corrections).
A single AD server can only host a single domain, so don't stuff about
with looking up our crossRef record in the cn=Partitions container.
We instead trust that lp_realm() and lp_workgroup() works correctly.
Andrew Bartlett
The ldb_val is length-limited, and while normally NULL terminated,
this avoids the chance that this particular value might not be, as
well as avoiding a cast.
Andrew Bartlett
I'm very glad we have such a comprehensive testsuite for the SAMR
password change process, as it makes this a much easier task to get
right.
Andrew Bartlett
This uses a virtual attribute 'clearTextPassword' (name chosen to
match references in MS-SAMR) that contains the length-limited blob
containing an allegidly UTF16 password. This ensures we do no
validation or filtering of the password before we get a chance to MD4
it. We can then do the required munging into UTF8, and in future
implement the rules Microsoft has provided us with for invalid inputs.
All layers in the process now deal with the strings as length-limited
inputs, incluing the krb5 string2key calls.
This commit also includes a small change to samdb_result_passwords()
to ensure that LM passwords are not returned to the application logic
if LM authentication is disabled.
The objectClass module has been modified to allow the
clearTextPassword attribute to pass down the stack.
Andrew Bartlett
