IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
At the moment no flags are set and it works fine, since this function
is solely used in samldb during ADD requests handling.
Pre-setting a flag make it usefull for other modules and request
handlers too
Change-Id: I7e43dcbe2a8f34e3b0ec16ae2db80ef436df8bfe
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993
Change-Id: If6bc90305a1e9a5a92562a01ba7e44330de91cc1
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Found by AddressSanitizer
Change-Id: I82e35aea60726053c79510ba8ed3eedfaf553eb7
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Matthieu Patou <mat@matws.net>
Autobuild-User(master): Matthieu Patou <mat@samba.org>
Autobuild-Date(master): Mon Oct 13 08:28:15 CEST 2014 on sn-devel-104
This is not allowed to be odd length, as otherwise we can not send it over the SAMR transport correctly.
Allocating one byte less memory than required causes malloc() heap corruption
and then a crash or lockup of the SAMR server.
Andrew Bartlett
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10130
Change-Id: I5c0c531c1d660141e07f884a4789ebe11c1716f6
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This matters after the lockout observation period has expired.
Note: that QueryUserInfo level 3 returns the raw badPwdCount value.
Andrew Bartlett
Change-Id: I7b304a50984072bc6cb1daf3315b4427443632a9
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: Ie5b534c70dd87ecf58d6a830e38750ecf16eb855
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This allows the password_hash code to call the same update routine.
Andrew Bartlett
Change-Id: I3d954469defa3f5d26ffc5ae0583ec7e1957ea11
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: I949c6c64551f68c4381b41b30120874ead82949e
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: I064a7e192caccbb5acc17ba385f1625425c176d1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This seems to be the best choke point to check for locked out
accounts, as aside from the KDC, all the password authentication and
change callers use it.
Andrew Bartlett
Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This allows us to avoid the domain lookup in the constructed attribute
when not required.
By using msDS-User-Account-Control-Computed the lockout and password
expiry checks are now handled in the operational ldb module.
Andrew Bartlett
Change-Id: I6eb94933e4602e2e50c2126062e9dfa83a46191b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This could cause an all-zero GUID to be entered into the
replPropertyMetaData, which will then fail to be replicated to other
DCs.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This ensures (and asserts) that we never write an all-zero GUID as an invocationID
to the database in replPropertyMetaData.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This helps us in the KCC as we need to return the deleted DN for the GUID
in DsReplicaGetInfo calls (tested for deleted servers against Windows 2008R2).
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
We should use the global highestCommittedUSN, not the per partition value.
This matches a Windows 2008R2 and 2012 server.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This should give the password_hash module a chance to detect if the called
was the cleartext password or not.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Newer versions of heimdal include a macro that is unfortunately named
'_res'. This change prevents the clash.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
We often want to know if we own an FSMO role (for example). This tries to be more
efficient by comparing the GUID, rather than the string DN, as this does not need
to be re-fetched each time.
Andrew Bartlett
As the normal case (outside provision) uses a copy, this avoids a case
where a caller might modify a global variable accidentily.
As suggested by metze.
Andrew Bartlett
As this value is calculated new each time, we need to give it a context to live on.
If the value is the forced value during provision, a reference is taken.
This was responsible for the memory leak in the replication process. In the
example I was given, this DN appeared in memory 13596 times!
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Aug 14 10:05:14 CEST 2012 on sn-devel-104
As per Section 3.1.1.4.5.26 [MS-ADTS.pdf], password is expired if
pwdLastSet = null, or
pwdLastSet = 0, or
(maxPwdAge != 0x8000000000000000 and (ST - pwdLastSet) > maxPwdAge)
if we repeat the join of a subdomain then we try to re-create the NC
for the subdomain during a DsAddEntry(). This allows that re-creation
to succeed if the NC already exists
this control tells the partition module that the DN being created is a
partial replica, so it should modify the @PARTITION object to add the
partialReplica attribute
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this control is used to ask samdb to not return searches with a basedn
in partial repica partitions, which is needed to support the
difference between a search on the 3268 GC ldap port and the non-GC
389 port
this converts a DC into the equivalent DNS domain. It is used when
forming t_msdcs NTDS DNS names
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
this DN can change due to a server rename, so we cannot cache it. It
is set by provision, but not anywhere else.
This seems to not have a large performance impact
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this allows us to use dsdb_module_dn_by_guid() from levels below the
extended_dn_out module
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
A helper function for retrieving the ntds site settings
via standalone function call. Used within KCC
Signed-off-by: Andrew Tridgell <tridge@samba.org>
this is not perfect, but its better than always giving
NT_STATUS_UNSUCCESSFUL in our RPC servers
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
If we immediately afterwards perform an LDB base operation then we don't
need an explicit "ldb_dn_validate" check anymore (only OOM makes sense).
Reviewed by: Tridge
It is defined as LDAP syntax 2.5.5.9 so no need at all to treat it as
64-bit integer.
Reviewed by: Kamenim and Metze
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Tue Mar 1 12:46:15 CET 2011 on sn-devel-104
This call can be substituted by "ldb_msg_add_string". We only need to be
careful on local objects or talloc'ed ones which live shorter than the message.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Use the temporary list unless we have at least the three main
"namingContexts" from the rootDSE available (Default, Configuration, Schema -
these are mandatory on all AD deployments!).
This bug has been discovered by Nadya in relation with her SD work.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Jan 15 19:01:11 CET 2011 on sn-devel-104
It's only used there and so I think it doesn't really belong in
"dsdb/common/util.c" (I first thought that it could be useful for ACL checking
but obviously it wasn't).
- don't crash when no values where specified
- return ERR_CONSTRAINT_VIOLATION on malformed messages
- only check for flags when we are involved in a LDB modify operation
All other "samdb_search_*" calls do have one - why "samdb_search_count" doesn't?
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Mon Oct 25 17:42:33 UTC 2010 on sn-devel-104
This control is exactly thought for the actions which previously were performed
using the RELAX one.
We agreed that the RELAX control will only remain for interactions with OpenLDAP.
This reverts commit 8a2ce5c47c.
Jelmer pointed out that these are also in use by other LDB databases - not only
SAMDB ones.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 17 13:37:16 UTC 2010 on sn-devel-104
They're only in use by SAMDB code.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 17 09:40:13 UTC 2010 on sn-devel-104
"ldb_msg_add_string" is safe here since the integer has already been converted
to a string which is "talloc"ed on "mem_ctx".
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Oct 15 09:11:49 UTC 2010 on sn-devel-104
This can be substituted by "ldb_msg_add_value".
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Oct 15 00:21:53 UTC 2010 on sn-devel-104
We have ldb_msg_find_attr_as_* calls which do exactly the same. Therefore this
reduces only code redundancies.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Use it only in conjunction with the DELETE one to allow the functions to work
also against Windows < 2008R2. This is really important for the vampire
operation.
Also mark the RECYCLED control as non-critical (so that it's simply ignored by
older Windows'es).
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Mon Oct 4 16:10:11 UTC 2010 on sn-devel-104
We intend to see always all objects with the "show_deleted" control specified.
To see also recycled objects (beginning with 2008_R2 function level) we need to
use the new "show_recycled" control.
As far as I see this is only internal code and therefore we don't run into
problems if we do substitute it.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This is needed since starting with 2008_R2 function level we get another type
of hidden objects which aren't seen by the "show_deleted" control: recycled
objects.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Do this as in "dsdb_dn_is_upgraded_link_val". There is really no reason to
truncate before search.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 3 10:45:39 UTC 2010 on sn-devel-104
this is more efficient than first searching for the DN, then doing a
search. We should look at using this in lots of existing code
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This simplifies the function. While doing so, also change the error
string setting to set a really clear error string for the failure to find
and failure to parse cases.
Andrew Bartlett
When a RODC uses extended getncchanges operation
DRSUAPI_EXOP_REPL_SECRET it gets an override on the ability to
replicate the secret attributes.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
The flags field of message elements is part of a set of flags. We had
LDB_FLAG_MOD_MASK for extracting the type, but it was only rarely
being used (only 1 call used it correctly). This adds
LDB_FLAG_MOD_MASK() to make it more obvious what is going on.
This will allow us to use some of the other flags bits for internal
markers on elements
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
this replaces "return LDB_ERR_OPERATIONS_ERROR" with "return ldb_operr(ldb)"
in places in the dsdb code where we don't already explicitly set an
error string. This should make is much easier to track down dsdb
module bugs that result in an operations error.
Adapt the two functions for the restructured "password_hash" module. This
means that basically all checks are now performed in the mentioned module.
An exception consists in the SAMR password change calls since they need very
precise NTSTATUS return codes on wrong constraints ("samr_password.c") file
This is needed since we have not only reset operations on password fields
(attributes marked with REPLACE flag) but also change operations which can be
performed by users itself. They have one attribute with the old value marked
with the REMOVE flag and one with the new one marked with the ADD flag.
This function helps to retrieve them (argument "new" is used for the new
password on both reset and change).
Check on modify if we are RODC and return referral.
On the ldap backend side now we pass context and ldb_modify_default_callback
to propagate the referral error to the client.
The lookup of the client site is done using the subnets in the configuration
partition. If no one matches we use the Windows Server fallback mechansim.
This means: if only one site is available just use it. If they're more set the
output variable to "".
Signed-off-by: Andrew Tridgell <tridge@samba.org>
this validates that a invocationID matches an account sid
This will be used to ensure that we don't allow DRS replication
from someone a non-DC or administrator
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This function is intended to check if some client is not lying about
his flags. At this moment, it only checks for RODC flags.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
