IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This fits better than the RELAX one.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Wed Nov 24 18:23:01 CET 2010 on sn-devel-104
- Performs the short computer name check against the sam account name.
- Enhances the LogonGetDomainInfo testsuite which checks the NULL
"dns_hostname" behaviour
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Nov 19 12:50:33 CET 2010 on sn-devel-104
We previously allocated sockets as direct children of the event
context. That led to crashes if a service called
task_server_terminate(), as it left the socket open and handling
events for a dead protocol.
Making them a child of the task allows the task to terminate and take
all its sockets with it.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
sam_ctx_system may be NULL for non-privileged users
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sat Nov 13 08:52:53 UTC 2010 on sn-devel-104
this allows accounts (and in particular RODCs) to make SPN updates on
their own account if they take the form SERVICE/hostname
we may be able to remove this in the future after some changes in our
ACL checking for userPrincipalName
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Mon Nov 8 08:45:16 UTC 2010 on sn-devel-104
- Remove TODO comment: MS-SAMR 3.1.5.8.7 explicitly states:
"The SamrRemoveMemberFromForeignDomain method removes a member from all
aliases."
- Remove the search attributes since they aren't strictly needed.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Nov 6 18:07:57 UTC 2010 on sn-devel-104
we now keep just a list of GUIDs around between getncchanges calls,
instead of an entire db search. This makes the overhead of having a
pending getncchanges call much smaller.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Plus some cosmetic indentation fixes
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 31 19:26:45 UTC 2010 on sn-devel-104
The new waf-based build system now has all the same functionality, and
the old build system has been broken for quite some time.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sun Oct 31 02:01:44 UTC 2010 on sn-devel-104
this allows us to remove a dependency on the dcerpc_server from code
that uses rpc forwarding
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this also removes the event_context parameter from process model
initialisation. It isn't needed, and is confusing when a process model
init can be called from more than one place, possibly with different
event contexts.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
One pair are universal an global groups (on the SAMR pipe called "groups") and
the other one are the domain and builtin local groups (on the SAMR pipe called
"aliases").
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Mon Oct 25 19:37:27 UTC 2010 on sn-devel-104
All other "samdb_search_*" calls do have one - why "samdb_search_count" doesn't?
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Mon Oct 25 17:42:33 UTC 2010 on sn-devel-104
They can be substituted by "ldb_msg_add_string" if the string was already
talloc'ed.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 24 20:03:27 UTC 2010 on sn-devel-104
Only link to nss_wrapper when it is enabled.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Oct 23 23:05:44 UTC 2010 on sn-devel-104
If we can't find the account we should return NT_STATUS_NO_TRUST_SAM_ACCOUNT
instead of NT_STATUS_ACCESS_DENIED.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Sat Oct 23 10:05:35 UTC 2010 on sn-devel-104
This reverts commit 8a2ce5c47c.
Jelmer pointed out that these are also in use by other LDB databases - not only
SAMDB ones.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 17 13:37:16 UTC 2010 on sn-devel-104
They're only in use by SAMDB code.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 17 09:40:13 UTC 2010 on sn-devel-104
The issue here is that we have not yet first cast to int32_t explicitly,
before we cast to an signed int to printf() into the %d or cast to a
int64_t before we then cast to a long long to printf into a %lld.
There are *no* unsigned integers in Active Directory LDAP, even the RID
allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities.
(See the schema, and the syntax definitions in schema_syntax.c).
The failure has been detected by Matthieu Patou on the buildfarm host "tridge"
due to a malformed "groupType" attribute.
The solution is to use the "%d" specifier. Either to use it directly - or better
(when possible) use the call "samdb_msg_add_uint" (which encapsulates it).
This patch changes such problematic situations.
This can be substituted by "ldb_msg_add_value".
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Oct 15 00:21:53 UTC 2010 on sn-devel-104
We have ldb_msg_find_attr_as_* calls which do exactly the same. Therefore this
reduces only code redundancies.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
The merged I plan in this area require spliting security.h into
two header files, a common header and a session.h for the
remaining source4-specific code.
Andrew Bartlett
A new event context is constructed by LDB when required for secrets.ldb
This will be essentially unused, as LDB on TDB will only trigger 'fake'
events, and blocks on transactions and lock operations anyway.
Andrew Bartlett
We intend to see always all objects with the "show_deleted" control specified.
To see also recycled objects (beginning with 2008_R2 function level) we need to
use the new "show_recycled" control.
As far as I see this is only internal code and therefore we don't run into
problems if we do substitute it.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This implements partial attribute set checking on getncchanges. If the
client sends a partial_attribute_set then we only return the specified
attributes.
This also implements access checking on the NC root for the access
right GUIDs for requests with and without reveal secrets
Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
use:
dcesrv:stubs directory = .
to save files like this:
RPC-netlogon-48-pullfail.dat
when a RPC packet can't be parsed or is unknown. Only enabled in
developer builds
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
the unbind method is only called when the dcesrv_connection_context is
being destroyed (its called from the destructor). That means that priv
is either already free, or is about to be freed, so don't free it
again
These are related, but slightly different concepts. The biggest difference
is that rights are not enumerated as a system-wide list.
This moves the rights to security.idl due to dependencies.
Andrew Bartlett
Now that privileges are no longer given luid values sequentially,
we need another way to look them up for enumeration.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
in case we are handling extended operation.
It seems that windows accept both DRSUAPI_EXOP_ERR_SUCCESS
and DRSUAPI_EXOP_ERR_NONE, but Samba is a little bit
more picky on this.
Most of extended operations I know of work like:
1. do extended operation
2. collect a set of objects to return and start replication cycle
3. continue returning object as we have no more to give
This way we ensure we are doing 1. only once
This adds support for DRSUAPI_EXOP_FSMO_REQ_ROLE, DRSUAPI_EXOP_FSMO_RID_REQ_ROLE
and DRSUAPI_EXOP_FSMO_REQ_PDC.
Developed in collaboration with Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
When DRSUAPI_EXOP_FSMO_RID_ALLOC extended op is handled
in DsGetNCChanges() stub, we need to returned a well know set of
object - see: [ms-adts], 3.1.1.5.1.7
With this hack we are going to return just objects modified
during RID allocation procedure - i.e. "RID Manager$", "RID Set" for
computer object and computer object itself.
Which is a close approximation of what we are expected to return.
This makes the structure much more like NT_USER_TOKEN in the source3/
code. (The remaining changes are that privilages still need to be merged)
Andrew Bartlett
when we deny a EXOP_REPL_SECRET call we should set the exop error code
to NONE, and the main return code to WERR_DS_DRA_ACCESS_DENIED (based
on observing windows server behaviour)
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
The rules for when a RODC can replicate secrets are:
- it can always replicate its own acct
- it can also replicate its krbtgt acct
- it can't replicate other krbtgt accts
- it can't replicate interdomain trust accounts
- it can't replicate users in the denied group list
- it can replicate users in the allowed group list
otherwise it can't replicate
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
When a RODC uses extended getncchanges operation
DRSUAPI_EXOP_REPL_SECRET it gets an override on the ability to
replicate the secret attributes.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
The getncchanges call needs to be able to access the sam as the system
user for RODC clients. To do this it needs a sam_ctx connection with
system credentials
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Depending on which NC is being replicated, GetNCChanges() returns
either ATTID based on local prefixMap or msDs-IntId value of
the attributeSchema class for the attribute being replicated.
If set, msDs-IntId value is always returned when replicating
object form NC other than Schema NC.
Objects in Schema NC replica always use prefixMap based ATTIDs.
w2k8r2 is setting this bit as a RODC. Instead of refusing the
replication, we now remove the bit from req8, which means other places
in the code that check this bit can stay the same
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
The flags field of message elements is part of a set of flags. We had
LDB_FLAG_MOD_MASK for extracting the type, but it was only rarely
being used (only 1 call used it correctly). This adds
LDB_FLAG_MOD_MASK() to make it more obvious what is going on.
This will allow us to use some of the other flags bits for internal
markers on elements
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This also changes the calling convention slightly - we should always
allocate this with talloc_zero() to allow some elements to be
optional. Some elements may only make sense in Samba3, which I hope
will use this common structure.
Andrew Bartlett
