IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
When a RODC uses extended getncchanges operation
DRSUAPI_EXOP_REPL_SECRET it gets an override on the ability to
replicate the secret attributes.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
The flags field of message elements is part of a set of flags. We had
LDB_FLAG_MOD_MASK for extracting the type, but it was only rarely
being used (only 1 call used it correctly). This adds
LDB_FLAG_MOD_MASK() to make it more obvious what is going on.
This will allow us to use some of the other flags bits for internal
markers on elements
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
this replaces "return LDB_ERR_OPERATIONS_ERROR" with "return ldb_operr(ldb)"
in places in the dsdb code where we don't already explicitly set an
error string. This should make is much easier to track down dsdb
module bugs that result in an operations error.
This control will allow the linked_attributes module to know if
repl_meta_data has already handled the creation of forward and back
links.
Andrew Bartlett
"size_t" counters aren't really needed here (we don't check data lengths).
And we save the result in a certain "num_sids" variable which is of type
"unsigned".
This needed by the "cn_name_len"-1 accesses.
And use a "size_t"-typed variable for storing it (length specificators should
always be stored using "size_t" variables).
This is a rewrite of the lookup_rids code, using a query based on the
extended DN for a clearer interface.
By splitting this out, the logic is able to be shared, rather than
copied, into a passdb wrapper.
Andrew Bartlett
This is a rewrite of the group membership lookup code, using the
stored extended DNs to avoid doing the lookup into each member to find
the SID
By splitting this out, the logic is able to be shared, rather than
copied, into a passdb wrapper.
Andrew Bartlett
Adapt the two functions for the restructured "password_hash" module. This
means that basically all checks are now performed in the mentioned module.
An exception consists in the SAMR password change calls since they need very
precise NTSTATUS return codes on wrong constraints ("samr_password.c") file
This is needed since we have not only reset operations on password fields
(attributes marked with REPLACE flag) but also change operations which can be
performed by users itself. They have one attribute with the old value marked
with the REMOVE flag and one with the new one marked with the ADD flag.
This function helps to retrieve them (argument "new" is used for the new
password on both reset and change).
Check on modify if we are RODC and return referral.
On the ldap backend side now we pass context and ldb_modify_default_callback
to propagate the referral error to the client.
The lookup of the client site is done using the subnets in the configuration
partition. If no one matches we use the Windows Server fallback mechansim.
This means: if only one site is available just use it. If they're more set the
output variable to "".
Signed-off-by: Andrew Tridgell <tridge@samba.org>
this validates that a invocationID matches an account sid
This will be used to ensure that we don't allow DRS replication
from someone a non-DC or administrator
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This function is intended to check if some client is not lying about
his flags. At this moment, it only checks for RODC flags.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This patch creates the samdb_is_rodc() function, which looks for
the NTDSDSA object for a DC that has a specific invocationId
and if msDS-isRODC is present on such object and it is TRUE, then
consider the DC as a RODC.
The new samdb_rodc() function uses the samdb_is_rodc() function
for the local server.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This function should not traverse the module stack again, but instead
run from this point. Also add a matching
dsdb_module_load_partition_usn() and change repl_meta_data to match.
Andrew Bartlett
Made this an utility function so it can be used for access checking
outside of the acl ldb module, such as checking validated writes and
control access rights in other protocols (e. g drs)
when the ntds objects were moved by a recent change it broke the
calculation of the server site
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
In a single record search, LDB_ERR_CONSTRAINT_VIOLATION is more useful
than the generic LDB_ERR_OPERATIONS_ERROR
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
dsdb_find_dn_by_guid() now takes a struct GUID instead of a
guid_string. All the callers in fact wanted a struct GUID, so we now
avoid the extra conversion.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
When a object or attribute is created/updated/deleted, according
to [MS-ADTS] 3.1.1.5.1.6, it stores the uSNUrgent on @REPLCHANGED
for the partitions that it belongs.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This is important as LDAP servers always play with int64 values
and we have to encode 0x8000000000000000LL as "-9223372036854775808"
instead of "9223372036854775808".
metze
When a client supplied an uptodateness_vector, we can use it to filter
what objects we return. This greatly reduces the amount of replication
traffic between DCs.
This returns a 'reference' DN, which is a link to a DN, from the
specified object. It is then used by samdb_server_reference_dn() which
returns the serverReference DN, and samdb_rid_manager_dn() which
returns the rIDManagerReference DN.
They won't work when the LDB change is done using "samdb_replace"
(consider "samr_password.c" functions).
I think this has been a relict which has been useful before the "password_hash"
module existed. Basically it itself does now the updates.
This is based on the code from Eduardo Lima <eduardoll@gmail.com>, but
uses the new helper functions added in the last couple of commits
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This is based on the function of the same name from Eduardo Lima
<eduardoll@gmail.com>, but using ldb_dn_compare, to give us
comparisons consistent with what the rest of the code uses.
We will use this function in combination with dsdb_wellknown_dn() to
find the Deleted Objects container for any object.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
- We should clean up such "helper" objects created in this function to don't
have them around until "mem_ctx" is destroyed
- Remove a from my view pointless comment "This is a password set, not change"
since an external argument "user_change" decides this ("modify" or "(re)set")
This avoids doing a new search from the top of the module stack.
This also removes the helper function dsdb_find_parentguid_by_dn()
which is now unused.
Andrew Bartlett
In general functions that don't return any memory should not take a memory context.
Otherwise it is too easy to have a bug like this where memory is leaked
dsdb_find_parentguid_by_dn() returns the parentGUID for a given DN
dsdb_msg_add_guid() adds a GUID value to a given message (either
objectGUID or parentGUID).
Signed-off-by: Andrew Tridgell <tridge@samba.org>
I've left out those for which I could not find an expected value in my
default Windows 2003 server's database, and the values that rely on
the current prefix map at the time.
Andrew Bartlett
These changes include reworking the code to call ldb_module_get_ctx()
less often (avoid the function calls, particularly during the step
into a complex function).
Andrew Bartlett
This deactivates the password complexity check, but not the minimum password
length one, since the length is specified.
This change is needed by my password module work.
This was a bad idea all along, as Simo said at the time. With the
full MS schema and enforcement of it, it is an even worse idea.
This fixes the provision of the member server in 'make test'
Andrew Bartlett
I came up with a better solution which is invoked when we try to join a domain
as a DC (in file "libnet_become_dc.c"). Consider a following commit for this
patch.
This adds a function which performs the check for the supported forest and
domain function levels. On an unsuccessful result a textual error message can
be created (parameter "errmsg" != NULL) which gives hints for the user to help
him fixing the issue.
If we already have a repsFrom for a particular DC and naming context
then we should not overwrite it, as it contains info on what
replication we've already done
The parameters "lmNewHash" and/or "ntNewHash" could be NULL and when we perform
write operations on them (look below in the code) we could get SIGSEGVs!
This bit actually means that we should ignore the minimum password
length field for this user. It doesn't mean that the password should
be seen as empty
I'm very glad we have such a comprehensive testsuite for the SAMR
password change process, as it makes this a much easier task to get
right.
Andrew Bartlett
This uses a virtual attribute 'clearTextPassword' (name chosen to
match references in MS-SAMR) that contains the length-limited blob
containing an allegidly UTF16 password. This ensures we do no
validation or filtering of the password before we get a chance to MD4
it. We can then do the required munging into UTF8, and in future
implement the rules Microsoft has provided us with for invalid inputs.
All layers in the process now deal with the strings as length-limited
inputs, incluing the krb5 string2key calls.
This commit also includes a small change to samdb_result_passwords()
to ensure that LM passwords are not returned to the application logic
if LM authentication is disabled.
The objectClass module has been modified to allow the
clearTextPassword attribute to pass down the stack.
Andrew Bartlett
This attribute is used in a very similar way (virtual attribute
updating the password) in AD on Win2003, so eliminate the difference.
This should not cause a problem for on-disk passwords, as by default
we do not store the plaintext at all.
Andrew Bartlett
(This used to be commit 1cf0d75149)
This change removes a dependency on objectclass=domainDNS, and avoids
a subtree search when we really know exactly where this record is.
Andrew Bartlett
(This used to be commit 52947fc0c0)
This reworks quite a few parts of our provision system to use
CN=NETBIOSNAME as the domain for member servers.
This makes it clear that these domains are not in the DNS structure,
while complying with our own schema (found by OpenLDAP's schema
validation).
Andrew Bartlett
(This used to be commit bda6a38b05)
Windows uses 2 different values to indicate an account doesn't expire: 0 and
9223372036854775807 (0x7FFFFFFFFFFFFFFFULL).
This function looks up the value of the accountExpires attribute and if the
value is either value indicating the account doesn't expire,
0x7FFFFFFFFFFFFFFFULL is returned.
This simplifies the tests for account expiration. There is no need to check
elsewhere in the code for both values, therefore a simple greater-than
expression can be used.
(This used to be commit 7ce5575a3a)
This takes the previous patches further, so we catch all the cases
(the KDC looked at the time directly).
Andrew Bartlett
(This used to be commit cda4642a93)
More correctly handle expired passwords, and do not expire machine accounts.
Test that the behaviour is consistant with windows, using the RPC-SAMR test.
Change NETLOGON to directly query the userAccountControl, just because
we don't want to do the extra expiry processing here.
Andrew Bartlett
(This used to be commit acda1f69bc)
a new torture suite to match.
This should fix bug #4954 by Matthias Wallnöfer <mwallnoefer@yahoo.de>
Previously we had no knowlege of BUILTIN or well-known names.
This code needs expansion to check with winbind for trusted domains.
Andrew Bartlett
(This used to be commit e6fc0e1f54)
* Move dlinklist.h, smb.h to subsystem-specific directories
* Clean up ads.h and move what is left of it to dsdb/
(only place where it's used)
(This used to be commit f7afa1cb77)
Do not change unixName right now, we don't have an attribute to use in the posixGroup class,
and I think we should remove its usage altogether and look up users and groups by their uid/gid only.
Simo.
(This used to be commit d57b521aad)
Remove some autogenerated headers (which had prototypes now autogenerated by pidl)
Remove ndr_security.h from a few places - it's no longer necessary
(This used to be commit c19c2b51d3)
the idea is to have a directory service db layer
which will be used by the ldap server, samr server, drsuapi server
authentification...
I plan to make different implementations of this interface possible
- current default will be the current samdb code with sam.ldb
- a compat implementation for samba3 (if someone wants to write one)
- a new dsdb implementation which:
- understands naming contexts (directory parrtitions)
- do schema and acl checking checking
- maintain objectGUID, timestamps and USN number,
maybe linked attributes ('member' and 'memberOf' attributes)
- store metadata on a attribute=value combination...
metze
(This used to be commit 893a8b8bca)
