sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-12 09:18:10 +03:00
Code
67,091 Commits 60 Branches 1,145 Tags 452 MiB
99ac4e92ff
Commit Graph

2217 Commits

Author SHA1 Message Date
Nadezhda Ivanova
99ac4e92ff s4-ldbmodules: Added new module aclread to handle access checks on LDAP search 
It is currently enabled only if the request comes from the LDAP server, and is
disabled  by default. Use acl:search=true in smb.conf to enable it.
It filters out all objects the user is not allowed to see, and all attributes
the user does not have RP on. Extended access not supported yet.
 2010-09-26 15:36:09 -07:00
Nadezhda Ivanova
93ba17285d s4-tests: Added tests for search checks on attributes 
The ACL reach tests are in the knowfail because aclread module is not
enabled by default
 2010-09-26 15:36:09 -07:00
Nadezhda Ivanova
3e08965369 s4-tests: Removed search tests with anonymous credentials as they fail againts Windows 
These tests will fail in make test as well if the acl_read module is enabled.
 2010-09-26 15:36:09 -07:00
Nadezhda Ivanova
dc9991ab0e s4-dsdb: Added a function to check access on a particular object by its guid 
Similar to dsdb_check_access_on_dn, only it searches by guid.
 2010-09-26 15:36:09 -07:00
Nadezhda Ivanova
4d3f528411 s4-dsdb: A helper to determine if an attribute is part of the search filter 2010-09-26 15:36:09 -07:00
Nadezhda Ivanova
b77edca7f8 s4-dsdb: Moved some helper functions to a separate file 
We need these to be accessible to the aclread module as well.
 2010-09-26 15:36:09 -07:00
Nadezhda Ivanova
3d0e36bc87 s4-ldap: Added a control to apply the access checks on read via LDAP 2010-09-26 15:36:09 -07:00
Andrew Tridgell
7dbfeb0dc0 s4-auth: fixed the SID list for DCs in the PAC 
the S-1-5-9 SID is added in the PAC by the KDC, not on the server that
receives the PAC

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104
 2010-09-26 07:09:08 +00:00
Kamen Mazdrashki
f1b3c4dd38 s4-possibleinferiors.py: Fix usage of 'paged_search' module for remote LDB connections 2010-09-26 02:25:13 +03:00
Kamen Mazdrashki
04826b65f6 s4-sec_descriptor.py: Fix usage of 'paged_search' module for remote LDB connections 2010-09-26 02:25:12 +03:00
Kamen Mazdrashki
7a7068f2ed s4-ldap_schema.py: Remove unused LDB connection to GC port 2010-09-26 02:25:11 +03:00
Kamen Mazdrashki
8780d2934b s4-dsdb_schema_info.py: Fix usage of 'paged_search' module for remote LDB connections 2010-09-26 02:25:11 +03:00
Andrew Tridgell
85ba79063f ldb: mark the location of a lot more ldb requests 2010-09-25 10:38:45 -07:00
Andrew Tridgell
5568fcd88b s4-dsdb: added tagging of requests in dsdb modules 
this allows you to call dsdb_req_chain_debug() in gdb or when writing
debug code to see the request chain
 2010-09-25 10:38:45 -07:00
Andrew Tridgell
bd228f9858 s4-repl: don't store repsFrom on DNs other than NC heads 
we don't want a refsFrom on the Rid Manage$ DN 

Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
 2010-09-25 10:38:45 -07:00
Andrew Tridgell
a1d52540a3 s4-repl: use namingContexts from rootDSE to initialise partition list 
this is preferable to looking for the hasMasterNCs attribute on
nTDSDSA objects.
 2010-09-25 10:38:44 -07:00
Andrew Tridgell
370446769d s4-repl: force on WRIT_REP when we are a writable replica 
this ensures we always mark ourselves as writeable when we are not
an RODC
 2010-09-25 10:38:44 -07:00
Andrew Tridgell
3aea12d0ab s4-repl: use dreplsrv_partition_source_dsa_by_guid to find source dsa 
this avoids a list walk in the calling code
 2010-09-25 10:38:44 -07:00
Nadezhda Ivanova
99f0891944 s4-dsdb: Fixed a call to the wrong ops function in dsdb_module_search_dn. 2010-09-25 10:19:11 -07:00
Andrew Bartlett
c9b19d9b69 s4-kerberos Rework keytab handling to export servicePrincipalName entries 
This creates keytab entries with all the servicePrincipalNames listed
in the secrets.ldb entry.

Andrew Bartlett
 2010-09-24 15:07:56 +10:00
Andrew Bartlett
f03913e2cc s4-kerberos Move 'set key into keytab' code out of credentials. 
This code never really belonged in the credentials layer, and
is easier done with direct access to the ldb_message that is
in secrets.ldb.

Andrew Bartlett
 2010-09-24 09:25:44 +10:00
Matthias Dieter Wallnöfer
964f992779 s4:repl_meta_data - also on delete operations the new RDN attribute has to be casefolded correctly 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:43 +10:00
Matthias Dieter Wallnöfer
30afa65785 s4:lazy_commit LDB module - the "show_deleted" control is initialised by the "show_deleted" LDB module 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:43 +10:00
Matthias Dieter Wallnöfer
29e3806b0e s4:rootdse LDB module - make use of "dsdb_forest_functional_level" 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:43 +10:00
Matthias Dieter Wallnöfer
9123bcbf77 s4:ldap.py - add tests for the "dsServiceName", "serverName", "dnsHostName" and "ldapServiceName" rootDSE attributes 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:43 +10:00
Matthias Dieter Wallnöfer
1d9a348144 s4:rootdse LDB module - introduce dynamic "ldapServiceName" 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:43 +10:00
Matthias Dieter Wallnöfer
681106af4f s4:rootdse LDB module - introduce dynamic "dnsHostName" attribute 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:43 +10:00
Matthias Dieter Wallnöfer
5fd7bc8564 s4:rootdse LDB module - make "serverName" dynamic 
This helps to fix bug #7347. "dsServiceName" cannot be made dynamic in such a
simple way since it's already needed on LDB initialisation time.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:43 +10:00
Matthias Dieter Wallnöfer
e446ef1c3f s4:rootdse LDB module - remove "priv" checks where not needed 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:42 +10:00
Matthias Dieter Wallnöfer
f1535694f7 s4:rootdse LDB module - better that the "edn" control handling is done last 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:42 +10:00
Matthias Dieter Wallnöfer
679eb33e79 s4:samldb LDB module - it isn't allowed to create user/computer accounts with a primary group specified 
It can only be changed afterwards. We allow a "relax"ed exception for the
provision state since we need this for the guest account.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:42 +10:00
Matthias Dieter Wallnöfer
2e913994f2 s4:dsdb/common/util_samr.c - remove the primary group specifications 
Now also the primary group detection/change on modify operations does work

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:42 +10:00
Matthias Dieter Wallnöfer
c03ec03212 s4:ldap.py - test default primary groups on modify operations 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:42 +10:00
Matthias Dieter Wallnöfer
f46c6233e7 s4:samldb LDB module - support the "userAccountControl" -> "primaryGroupID" detection also on modify operations 
Also requested by MS-SAMR 3.1.1.8.1.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:42 +10:00
Matthias Dieter Wallnöfer
72bb8c3fb3 s4:ldap.py - enhance SAM user/groups behaviour test regarding default primary groups 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:42 +10:00
Matthias Dieter Wallnöfer
f84724cebc s4:rootdse LDB module - make more use of LDB result constants 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:41 +10:00
Matthias Dieter Wallnöfer
08298457d4 s4:rootdse LDB module - fix comment typo 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:41 +10:00
Matthias Dieter Wallnöfer
7a1a0cde2e s4:password_hash LDB module - don't assign "lp_ctx" twice 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:41 +10:00
Matthias Dieter Wallnöfer
e59cdaf40e s4:rootdse LDB module - fix counter types 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:41 +10:00
Matthias Dieter Wallnöfer
1a1be71eb8 s4:extended_dn_in LDB module - fix a counter type 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:41 +10:00
Matthias Dieter Wallnöfer
6c349d479f s4:drepl_out_helpers.c - fix a counter type 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2010-09-24 09:25:41 +10:00
Anatoliy Atanasov
67b6252eed s4/dsdb:kcc: cleanup and improve readability 2010-09-23 08:41:05 -07:00
Stefan Metzmacher
519180c341 s4:dsdb/kcc: we don't need to manually allocate [out,ref] pointers anymore 
metze

Signed-off-by: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
 2010-09-23 08:41:05 -07:00
Andrew Tridgell
d2008fbbb9 s4-kcc: the kcc should not be setting the repsTo attribute 
repsTo is set by other DCs, when they ask to be notified about changes
in a partition
 2010-09-23 07:17:57 +00:00
Andrew Tridgell
d1cbd68bb1 s4-kcc: added service->am_rodc 
use a rodc flag on the service instead of calling samdb_rodc each time
 2010-09-23 07:17:57 +00:00
Andrew Tridgell
c166b44b47 s4-kcc: pass the service context into the kcc connection code 
this will be used for the RODC changes needed for the kcc
 2010-09-23 07:17:56 +00:00
Jelmer Vernooij
cc5b673e18 s4-selftest: Move samba3sam test to standard python directory. 2010-09-22 22:29:09 -07:00
Jelmer Vernooij
1716cdbef3 dsdb: Use short path for ldb_handlers.h, in case ldb is installed in the 
system.
 2010-09-22 17:48:24 -07:00
Nadezhda Ivanova
aa57fd8224 s4-ldap: Fixed a problem with NC's having a parentGUID attribute 
NC's other than default NC had a parentGUID, due to an incorrect check of whether
the object has a parent. Fixed by checking object's instanceType instead.
 2010-09-21 09:10:54 -07:00
Andrew Tridgell
7ffcf90bb9 s4-drepl: use the partition UDV and hwm for extended getncchanges ops 
we find the NC root then load the uptodateness vector and highwater
mark, if available, from there
 2010-09-20 21:51:08 -07:00