1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

3851 Commits

Author SHA1 Message Date
Volker Lendecke
aa38175e00 lib: Convert callers of sid_blob_parse to sid_parse
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-08-26 21:41:12 +02:00
Andrew Bartlett
2766bad5ef dbcheck: Add explict tests for unknown and unsorted attributeID values
Unknown attributeID values would cause an exception previously, and
unsorted attributes cause a failure to replicate with Samba 4.2.

In commit 61b978872f we started
to sort these values correctly, but previous versions of Samba
did not sort them correctly (we sorted high-bit-set values as
negative), and then after 9c9df40220
we stoped accepting these.

To ensure we are allowed to make this unusual change to the
replPropertyMetaData, a new OID is allocated and checked
for in repl_meta_data.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10973

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-08-24 23:46:22 +02:00
Andrew Bartlett
bed29f3c92 pydsdb: Allow the full range of uint32_t values for attributeID
The high bit may be set in these integers, so we need an unsigned int to store it in

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11429

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-08-24 23:46:22 +02:00
Andrew Bartlett
8cacd5b811 Revert "dsdb: Only parse SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL as a DN"
This reverts commit 1a012d591b.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10493

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-08-17 17:43:36 +02:00
Kamen Mazdrashki
252b62c54e dsdb: Disable tombstone_reanimation module until we isolate what causes flaky tests
Change-Id: I323a2cd5eb2449a44a9cb53abab5a127d21c5967
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-20 06:18:13 +02:00
Andreas Schneider
cd71f9338a s4-samdb: Correctly cast data pointer
This fixes a signedness warning.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-17 01:38:15 +02:00
Andreas Schneider
dd8a085b01 CID 1311772: Fix null pointer check
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jul 15 04:50:36 CEST 2015 on sn-devel-104
2015-07-15 04:50:36 +02:00
Andreas Schneider
2bfe12e96e CID 1311771: Fix a null pointer dereference
We check for dir == NULL but dereference it during variable declaration.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-15 01:47:21 +02:00
Andreas Schneider
2f86e32a99 CID 1311767: Cast enum type to avoid compiler warnings
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-15 01:47:21 +02:00
Andreas Schneider
0c01771e3b CID 1311764: Fix logical compare in if clause
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-15 01:47:20 +02:00
Stefan Metzmacher
666ac7c5b7 s4:dsdb/common: add dsdb_trust_merge_forest_info() helper function
This is used to merge the netr_GetForestTrustInformation() result with
the existing information in msDS-TrustForestTrustInfo.

New top level names are added with LSA_TLN_DISABLED_NEW
while all others keep their flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
f043ee97ac s4:dsdb/common: dsdb_trust_normalize_forest_info_step[1,2]() and dsdb_trust_verify_forest_info()
These will be used in dcesrv_lsa_lsaRSetForestTrustInformation() in the
following order:

- dsdb_trust_normalize_forest_info_step1() verifies the input
  forest_trust_information and does some basic normalization.

- the output of step1 is used in dsdb_trust_verify_forest_info()
  to verify overall view of trusts and forests, this may generate
  collision records and marks records as conflicting.

- dsdb_trust_normalize_forest_info_step2() prepares the records
  to be stored in the msDS-TrustForestTrustInfo attribute.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
46e2a97a2b s4:dsdb/common: add dsdb_trust_xref_tdo_info() helper function
This emulates a lsa_TrustDomainInfoInfoEx struct for our own domain.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
e7c4d2e7eb s4:dsdb/common: add dsdb_trust_forest_info_from_lsa() helper function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
38c30b9d68 s4:dsdb/common: add dsdb_trust_get_incoming_passwords() helper function
This extracts the current and previous nt hashes from trustAuthIncoming
as the passed TDO ldb_message.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
8a63dd8bbc s4:dsdb/password_hash: reject interdomain trust password changes via LDAP
Only the LSA and NETLOGON server should be able to change this, otherwise
the incoming passwords in the trust account and trusted domain object
get out of sync.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
dd23d8e1b2 s4:dsdb/common: supported trusted domains in samdb_set_password_sid()
We also need to update trustAuthIncoming of the trustedDomain object.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
81c276047a s4:dsdb/common: make use of dsdb_search_one() in samdb_set_password_sid()
This will simplify the following commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
aded6f6551 s4:dsdb/common: pass optional new_version to samdb_set_password_sid()
For trust account we need to store version number provided by the client.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
1a84cb7d0b s4:dsdb/netlogon: add support for CLDAP requests with AAC=0x00000400(ACB_AUTOLOCK) and user="example.com."
Windows reuses the ACB_AUTOLOCK flag to handle SEC_CHAN_DNS_DOMAIN domains,
but this not documented yet...

This is triggered by the NETLOGON_CONTROL_REDISCOVER with a domain string
of "example.com\somedc.example.com".

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
a2518116b7 s4:dsdb/common: add dsdb_trust_search_tdo*() helper functions
These are more generic and will replace the existing sam_get_results_trust().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
a11f874dc7 s4:dsdb/common: add helper functions for trusted domain objects (tdo)
The most important things is the dsdb_trust_routing_table with the
dsdb_trust_routing_table_load() and dsdb_trust_routing_by_name() functions.

The routing table has knowledge about trusted domains/forests and
enables the dsdb_trust_routing_by_name() function to find the direct trust
that is responsable for the given name.

This will be used in the kdc and later winbindd to handle cross-trust/forest
routing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:20 +02:00
Volker Lendecke
7829395926 dsdb: Rename a parameter
Coverity was confused by the 'seq_num' variable as an argument for the
'local_usn' parameter, where also a 'seq_num' parameter exists. Doesn't hurt,
and if it kills a Coverity warning, why not...

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: "Stefan (metze) Metzmacher" <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jul  1 14:09:14 CEST 2015 on sn-devel-104
2015-07-01 14:09:14 +02:00
Volker Lendecke
a924399b91 dsdb: Fix CID 1034902 Dereference before null check
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 24 01:02:22 CEST 2015 on sn-devel-104
2015-06-24 01:02:22 +02:00
Volker Lendecke
8253549264 dsdb: Fix CID 1034687 Logically dead code
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:09 +02:00
Volker Lendecke
7613174e7b dsdb: Fix CID 1034719 Evaluation order violation
We assigned lp_ctx twice...

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:09 +02:00
Volker Lendecke
d09d428c5e dsdb: Fix CID 1034802 Dereference null return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:09 +02:00
Volker Lendecke
22d4d91649 dsdb: Fix CID 1034742 Dereference after null check
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:09 +02:00
Volker Lendecke
5c30ed470d dsdb: Fix CID 1034743 Dereference after null check
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:09 +02:00
Volker Lendecke
77c6cdcbd5 dsdb: Fix CID 1034803 Dereference null return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:09 +02:00
Volker Lendecke
6ed5b4ec8b dsdb: Fix CID 1034804 Dereference null return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:09 +02:00
Volker Lendecke
4b80851568 dsdb: Fix CID 1034745 Dereference after null check
This is a cut&paste error

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:09 +02:00
Andrew Bartlett
c1c25b4939 dsdb: Relax the check for the RID set DN
This was preventing the correct generation of error messages and referrals on an RODC.

An RODC does not have a RID set.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-05-28 07:25:07 +02:00
Andrew Bartlett
86943313f2 kcc: Wait until the samba_kcc script runs to declare success to the caller
This allows us to tell if this script even executes, without looking in the logs.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-05-28 07:25:07 +02:00
Matthieu Patou
ce4830e00a Fix segfault in the very rare case when we are not able to find the rootnamingcontext
Signed-off-by: Matthieu Patou <mat@matws.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
Change-Id: I96fd5c7f39280090d5ec1dcdcb445fd7a44bd1c6

Autobuild-User(master): Matthieu Patou <mat@samba.org>
Autobuild-Date(master): Wed May 27 18:40:35 CEST 2015 on sn-devel-104
2015-05-27 18:40:35 +02:00
Volker Lendecke
06f4ba3217 lib: Remove server_id_str()
Call server_id_str_buf instead

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr 28 20:48:01 CEST 2015 on sn-devel-104
2015-04-28 20:48:01 +02:00
Volker Lendecke
b024ea84ff dsdb: Fix CID 1034681 Copy-paste error
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-03-23 16:04:18 +01:00
Günther Deschner
2ad3dcc7cf s4-dsdb/samdb: use abstract functions for MIT compatibility.
This involves switching to krb5_data, smb_krb5_get_pw_salt and
smb_krb5_create_key_from_string.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-03-20 23:25:52 +01:00
Andrew Bartlett
d3b208c1fc dsdb-tests: Give more helpful information about attribute differences
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-03-20 13:49:26 +01:00
Michael Adam
9139caa57a dsdb: fix error message in tombstone_reanimation test.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-17 16:48:07 +01:00
Michael Adam
06a410dfb1 dsdb: fix error message in sam test
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-17 16:48:07 +01:00
Volker Lendecke
de811f14af lib: Remove tdb_compat
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-03-17 11:30:52 +01:00
Volker Lendecke
cf368cbdc5 lib: Remove tdb_fetch_compat
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-03-17 11:30:52 +01:00
Volker Lendecke
f199e0ebfc lib: Remove tdb_errorstr_compat
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-03-17 11:30:52 +01:00
Volker Lendecke
d699e1db80 lib: Remove "use_ntdb" param from secrets_init_path
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-03-17 11:30:51 +01:00
Volker Lendecke
9943691093 samdb: Ignore ntdb in secrets_tdb_sync
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-03-17 11:30:51 +01:00
Michael Adam
3d1e4a90d0 dsdb: fix the user_account_control test.
On my system (Fedora 21) the test fails with:

[1(0)/1 at 0s] samba4.user_account_control.python(dc)
teardown_env(dc)
Traceback (most recent call last):
  File "/home/obnox/devel/samba/master-push.git/source4/dsdb/tests/python/user_account_control.py", line 23, in <module>
    from subunit.run import SubunitTestRunner
ImportError: No module named subunit.run

This fixes it for me.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Mar 16 20:25:33 CET 2015 on sn-devel-104
2015-03-16 20:25:33 +01:00
Andrew Bartlett
288117507f dsdb-repl: Always set DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING when we are an RODC
Unless we are using DRSUAPI_EXOP_REPL_SECRET, always remove
DRSUAPI_DRS_WRIT_REP and always set
DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING

Otherwise, we will not work as an RODC, because replication will fail
with access denied errors.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
2015-03-16 03:00:07 +01:00
Stefan Metzmacher
3098a43266 s4:pydsdb: add DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:42 +01:00
Andrew Bartlett
7ed24924d2 dsdb: Ensure we cope with a samAccountName with a space in it in DsCrackName()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:42 +01:00
Andrew Bartlett
3cd8713216 dsdb: Allow spaces in userPrincipalName values
This is needed to enable a kinit with a UPN that has a space in it

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:42 +01:00
Jelmer Vernooij
f52e895459 tests/sam: Remove unnecessary calls for third party module imports.
Change-Id: Iaa1af59005eaee7ea79f3260b250a2c948e07532
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-03-06 04:41:47 +01:00
Volker Lendecke
38628b1e32 Fix the O3 developer build
Different gcc versions complain at different places

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Mar  3 13:14:53 CET 2015 on sn-devel-104
2015-03-03 13:14:53 +01:00
Volker Lendecke
a99a5a34a5 Fix the developer O3 build
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Feb 25 16:32:29 CET 2015 on sn-devel-104
2015-02-25 16:32:29 +01:00
Andrew Bartlett
c8c2c850d4 Update mailing list references to point at lists.samba.org
The mailing lists are on lists.samba.org, but there are many references that use the shorthand of samba.org

Some references to samba@ have been changed to samba-technical@ where this make more sense.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Feb 10 07:08:28 CET 2015 on sn-devel-104
2015-02-10 07:08:28 +01:00
Kamen Mazdrashki
7fd2401b7d s4-samdb/tests: Assert on expected set of attributes for new User object
Change-Id: I225b64ff7492b41852fecb914f464a6c8d504a2c
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Feb  3 07:30:17 CET 2015 on sn-devel-104
2015-02-03 07:30:17 +01:00
Kamen Mazdrashki
72998acc45 s4-dsdb/tests: Assert on expected set of attributes for restored objects
Change-Id: I788406d9c3839d108cea508cf2a59488d495f141
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-02-03 05:02:12 +01:00
Kamen Mazdrashki
3c066661e8 s4-dsdb: Refactor user objects defaults setter to use attribute/value map
Change-Id: Iaa32af4225219a4c5c42c663022e8be429b8a1d2
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:12 +01:00
Andrew Bartlett
ed60811893 dsdb: Do not use _ prefix in tombstone_reanimate module
This should only be used by the C library.

Andrew Bartlett

Change-Id: I00da64de1443a7c6b21aafae79e126180eb1a3d4
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>
2015-02-03 05:02:12 +01:00
Kamen Mazdrashki
3fdda87120 s4-dsdb: common helper to determine "primaryGroupID" attribute value
At the moment current implementation does not check if group RID
is existing group RID - this responsibility is left to the caller.

Change-Id: I8c58dd23a7185d63fa2117be0617884eb78d13c1
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:12 +01:00
Kamen Mazdrashki
b37f7e6190 s4-dsdb: Common helper for setting "sAMAccountType" on User objects
Change-Id: I4480e7d1ed0c754e960028e0be9a90ee56935e94
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:12 +01:00
Kamen Mazdrashki
c9b0945199 s4-dsdb: Move User object default attribute values in separate helper
Change-Id: I1e291bcf0a5c9b2fca11323dc7f8be29f5145d42
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:12 +01:00
Kamen Mazdrashki
459a7c7de6 s4-dsdb/tests: Do not pre-create LoadParm - connect_samdb_env() will handle it
Change-Id: I3483c5aa50de2f7aca19e4d7cc4fa49bbe5f889d
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:12 +01:00
Kamen Mazdrashki
2ad50f8842 s4-dsdb-test: Use common base method for restoring Deleted objects
Change-Id: I266b58ced814cf7ea3616862506df5b55f4f1d8c
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:12 +01:00
Kamen Mazdrashki
db993c0de4 s4-dsdb/samldb: Don't allow rename requests on Deleted object
Windows behavior in case of renaming Deleted object is:
* return ERR_NO_SUCH_OBJECT in case client is not providing
  SHOW_DELETED control
* ERR_UNWILLING_TO_PERFORM otherwise

Renaming of Deleted objects is allowed only through special
Tombstone reanimation modify request

Change-Id: I1eb33fc294a5de44917f6037988ea6362e6e21fc
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:12 +01:00
Kamen Mazdrashki
b4ccfbc214 s4-dsdb/test: Delete any leftover objects in the beginning of Cross-NC test
This way we ensure that samdb is clean before we make the test

Change-Id: I3c6fc94763807394e52b6df41548e9aba8b452c1
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:12 +01:00
Kamen Mazdrashki
ac2931628c s4-dsdb/samldb: Relax a bit restrictions in Config partition while restoring deleted object
Change-Id: Iead460d24058b160b46cf3ddedaf4d84b844da4d
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:12 +01:00
Kamen Mazdrashki
e30be9a948 s4-dsdb/samdb: Don't relax contraint checking during rename for Deleted objects
Now we have a module to handle to handle Tombstone reanimation
and it is better we do all the check here as usual

Change-Id: Ia5d28d64e99f7a961cfe8b9aa7cc96e4ca56192e
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:12 +01:00
Kamen Mazdrashki
84b897aec4 s4-dsdb-test/reanimate: Fix whitespaces according to PEP8
Change-Id: I7b46992c80178d40a0531b5afd71a7783068a9dd
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:12 +01:00
Kamen Mazdrashki
a72e6287e5 s4-dsdb-tests: Move base tests for Tombstone reanimation in tombstone_reanimation module
So we have them all in one place.

While moving, I have:
* inherited from the base class for Tombstone reanimations
* replace self.ldb with self.samdb

Change-Id: Id3e4f02cc2e0877d736da812c14c91e2311203d2
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:12 +01:00
Kamen Mazdrashki
98750442a3 s4-dsdb-test: Fix duplicated key in a dictionary in sam.py
Change-Id: Ie33d92bd308262d9bfda553d6d5e2cfd98f6d7b3
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:12 +01:00
Kamen Mazdrashki
add32d8575 s4-dsdb/objectclass: remove duplicated declaration for objectclass_do_add
Change-Id: Ib88a45cea64fb661a41ca3b4a3df9dabf509fc6c
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:12 +01:00
Kamen Mazdrashki
e80bba721f s4-dsdb-test: remove trailing ';' in ldap.py
Change-Id: I5edc6e017b576791c1575f71a625c49ccc88fe8f
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:12 +01:00
Kamen Mazdrashki
70c03fa7a8 s4-dsdb/reanimate: Group objects reanimation implementation
Change-Id: Iea92924ff6b33fa3723b104d5dfff1ce5a7a09b0
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:12 +01:00
Kamen Mazdrashki
d5fc8b080f s4-dsdb/reanimate: Swap rename->modify operations to modify->rename sequence
This way it is more visible that we work on 'deleted object' during modify
and also will help us to handle 'stop rename for deletec objects'
propertly in future

[MS-ADTS]: 3.1.1.5.3.7.3 Undelete Processing Specifics

Change-Id: I9bb644e099a4a2afcb261ad22515c9c4ce4875bb
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:11 +01:00
Kamen Mazdrashki
72c55980e3 s4-dsdb/reanimate: Use 'show deleted' control in modify operations too
Before committing changes, object is still deleted - isDeleted = true

Change-Id: Ie1ab53dc594d1bfaf5b9e06316e7a1fc0dd4b8cb
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:11 +01:00
Kamen Mazdrashki
4c5c7d3c1c s4-dsdb/samldb: Skip 'sAMAccountType' and 'primaryGroupID' during Tombstone reanimate
tombstone_reanimate.c module is going to restore those attributes
and it needs a way to propagate them to DB

Change-Id: I36f30b33fa204fd28329eab01044a125f7a3f08e
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:11 +01:00
Kamen Mazdrashki
afd4b23dc9 s4-dsdb/samldb: Fix type "omputer" -> "computer"
Change-Id: Ic56c6945528b7f60becc4f0b318429f4c22c3d2e
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:11 +01:00
Kamen Mazdrashki
4acd22508d s4-dsdb/reanimate: Implement attribute_restore function
At the moment it works for objects with objectClass user + a common
case of removing isRecycled attribute

Change-Id: I70b0ef0ef65c13d3def82ca53ace52a85a078a37
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:11 +01:00
Kamen Mazdrashki
8e10c10bd6 s4-dsdb-util: Mark attributes with ADD flag in samdb_find_or_add_attribute()
At the moment no flags are set and it works fine, since this function
is solely used in samldb during ADD requests handling.
Pre-setting a flag make it usefull for other modules and request
handlers too

Change-Id: I7e43dcbe2a8f34e3b0ec16ae2db80ef436df8bfe
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:11 +01:00
Kamen Mazdrashki
4944e73d53 s4-dsdb-test: Fix Undelete tests after subunit upgrade work
Change-Id: I4712a2a2163a57fde037511afcc1cb7bee05f12e
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:11 +01:00
Kamen Mazdrashki
647c0ea017 s4-dsdb-test: Use case insensitive comparison for DNs in undelete test
Change-Id: I4a009bb7ed58ab857ac74a235bb5f580911f0d92
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:11 +01:00
Kamen Mazdrashki
ea4786875d s4-dsdb-test: Initial implementation for Tombstone restore test suite
Change-Id: Ib35ff930b6e7cee14317328b6fe25b59eec5262c
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:11 +01:00
Nadezhda Ivanova
2aa2e9afa2 s4-dsdb: Some minor fixes in tombstone_reanimate, to make it work with acl
Change-Id: Idad221c7ecf778fd24f6017bb4c6eacac541086a
Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:11 +01:00
Nadezhda Ivanova
d6334925ab s4-dsdb: Implementation of access checks on a undelete operation
Special Reanimate-Tombstone access right is required, as well as most of
the checks on a standard rename.

Change-Id: Idae5101a5df4cd0d54fe4ab2f7e5ad7fc1c23648
Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:11 +01:00
Nadezhda Ivanova
ac8b8e5539 s4-dsdb: Tests for security checks on undelete operation
Implemented according to MS-ADTS 3.1.1.5.3.7.1. Unfortunately it appears
LC is also necessary, and it is not granted by default to anyone but
System and Administrator, so tests had to be done negatively

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Change-Id: Ic03b8fc4e222e7842ec8a9645a1bb33e7df9c438
2015-02-03 05:02:11 +01:00
Kamen Mazdrashki
def9d26868 s4-dsdb: Mark request during Tombstone reanimation with custom LDAP control
We are going to need this so that underlying modules (acl.c)
can treat those requests properly

Change-Id: I6c12069aa6e7e01197dddda6c610d930d3fd9cb0
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:11 +01:00
Kamen Mazdrashki
78f848419d s4-dsdb: Implement rename/modify requests as local for the module
The aim is for us to be able to fine tune the implementation
and also add custom LDAP controls to mark all requests as
being part of Reanimation procedure

Change-Id: I9f1c04cd21bf032146eb2626d6495711fcadf10c
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:11 +01:00
Kamen Mazdrashki
2eef8e95a1 s4-dsdb: Add documentation link for Tombstone Reanimation
Change-Id: Ib779c8b0839889371f25ad5751c9cda1a510eb54
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:11 +01:00
Kamen Mazdrashki
039646b3cb s4-dsdb: Define internal dsdb control to mark Tombstone reanimation requests
Tombstone reanimation requries some special handling which is going
to affect several modules. Most notably:
 - a bit different access checks in acl.c
 - restore certain attributes during modify requests in samldb.c

Control added also to schema_samba4.ldif by Andrew Bartlett
hence the "pair programmed with" tag.

Change-Id: Ief4f7dabbbdc2570924fae48c30ac9c531a701f4
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:11 +01:00
Kamen Mazdrashki
4e44a0883e s4-dsdb: Make use dsdb_make_object_category() for objectCategory
Change-Id: If65c54a653ad7078ca7a535b5c247db2746b5be7
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:11 +01:00
Kamen Mazdrashki
1154075220 s4-dsdb: Make most specific objectCategory for an object
This is lightweight implementation and should be used on objects
with already verified objectClass attribute value - eg. valid classes,
sorted properly, etc.
Checkout objectclass.c module for heavy weight implementation.

Change-Id: Ifa7880d26246f67e2f982496fcc6c77e6648d56f
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:11 +01:00
Kamen Mazdrashki
5921bb84ab s4-dsdb: Initialize module context only we are to handle Tombstone request
Change-Id: I73bd2043e96907e3d1a669bdbd943ddee1df8c0a
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:10 +01:00
Kamen Mazdrashki
ffdc834bd1 s4-dsdb: Return error codes as windows does for Tombstone reanimation
Tested against Windows Server 2008 R2
In case we try to restore to already existing object, windows
returns: LDB_ERR_ENTRY_ALREADY_EXISTS
Otherwise it is: LDB_ERR_OPERATIONS_ERROR

Change-Id: I6b5fea1e327416ccf5069d97a4a378a527a25f80
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:10 +01:00
Kamen Mazdrashki
f84e1989b4 s4-dsdb-tests: Fix whitespace in deletetest.py
Change-Id: Ic2924b0aa9cffd29fe0c857317ccb65ba53a1c21
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:10 +01:00
Kamen Mazdrashki
1afd50fed0 s4-dsdb-tests: Make unique object names to test with in deletetest
This way we can re-run the test again and again

Change-Id: I29bd878b77073d94a279c38bd0afc2f0befa6f9d
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:10 +01:00
Kamen Mazdrashki
bb1337170c s4-dsdb-tests: Remove unused method get_ldap_connection()
Change-Id: Ie50f77dbba724dbd3c2822de5c2cfff41016fac6
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:10 +01:00
Kamen Mazdrashki
7d2247939c s4-dsdb-tests: Remove trailing ';' in deletetest.py
Change-Id: Ic1ad6bbda55be56cbf7ae78a8ad988b8e479a40c
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:10 +01:00
Kamen Mazdrashki
5aaa33694a s4-dsdb: Insert tombstone_reanimate module in ldb modules chain after objectclass
Change-Id: Id9748f36f0aefe40b1894ecd2e5071e3b9c8a6d6
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:10 +01:00
Kamen Mazdrashki
886a352bf7 s4-dsdb: Initial implementation for Tombstone reanimation module
At the moment it works for basic scenario:
 - add user
 - delete user
 - restore deleted user

TODO:
 - security checks
 - flags verification
 - cross-NC checks
 - asynchronous implementation (may not be needed, but anyway)

Change-Id: If396a6dfc766c224acfeb7e93ca75703e08c26e6
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-03 05:02:10 +01:00
Nadezhda Ivanova
b881da6584 s4-dsdb-tests: Some tests for deleted objects undelete operation
Based on MS-ADTS 3.1.1.5.3.7.2

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Change-Id: I650b315601fce574f9302435f812d1dd4b177e68
2015-02-03 05:02:10 +01:00
Stefan Metzmacher
dc2f91020e s4:dsdb/tests: add test_timevalues1() to verify timestamp values
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9810

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jan 24 20:17:20 CET 2015 on sn-devel-104
2015-01-24 20:17:20 +01:00
Andrew Bartlett
496b67b27a dsdb-tests: Clarify that accounts really do fall back to UF_NORMAL_ACCOUNT if no account set
Also confirm what bits have to be ignored, or otherwise processed

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jan 22 10:16:42 CET 2015 on sn-devel-104
2015-01-22 10:16:42 +01:00
Andrew Bartlett
daeedb030f dsdb-samldb: Clarify userAccountControl manipulation code by always using UF_ flags
The use of ACB_ flags was required before msDS-User-Account-Control-Computed was implemented

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-01-22 07:50:06 +01:00
Andrew Bartlett
1279d5e863 dsdb-samldb: Clarify that accounts really do fall back to UF_NORMAL_ACCOUNT if no account set
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-01-22 07:50:06 +01:00
Andrew Bartlett
49485ab978 dsdb-samldb: Only allow known and settable userAccountControl bits to be set
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-01-22 07:50:06 +01:00
Andrew Bartlett
ad98c0e175 dsdb-tests: Show that we can not change the primaryGroupID of a DC
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-01-22 07:50:06 +01:00
Stefan Metzmacher
2a432752c0 s4:dsdb/samldb: let samldb_prim_group_change() protect DOMAIN_RID_{READONLY_,}DCS
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-01-22 07:50:06 +01:00
Andrew Bartlett
735605a6b0 dsdb: Improve userAccountControl handling
We now always check the ACL and invarient rules using the same function

The change to libds is because UF_PARTIAL_SECRETS_ACCOUNT is a flag,
not an account type

This list should only be of the account exclusive account type bits.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-01-22 07:50:06 +01:00
Andrew Bartlett
bf99abb5db dsdb-tests: Add new test samba4.user_account_control.python
This confirms security behaviour of the userAccountControl attribute
as well as the behaviour on ADD as well as MODIFY, for every
userAccountControl bit.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Change-Id: I8cd0e0b3c8d40e8b8aea844189703c756cc372f0
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-01-22 07:50:06 +01:00
Andrew Bartlett
b995ef3795 dsdb: Default to UF_NORMAL_ACCOUNT when no account type is specified
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-01-22 07:50:06 +01:00
Andrew Bartlett
412b602314 libds: UF_PARTIAL_SECRETS_ACCOUNT is a flag, not an account type
This list should only be of the account exclusive account type bits.

Note, this corrects the behaviour in samldb modifies of
userAccountControl.

This reverts 6cb91a8f33

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-01-22 07:50:06 +01:00
Andrew Bartlett
7e41bcf305 dsdb-tests: Align sam.py with Windows 2012R2 and uncomment userAccountControl tests
These tests now pass against Samba and Windows 2012R2.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Change-Id: I1d7ba5e6a720b8da88c667bbbf3a4302c54642f4
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-01-22 07:50:06 +01:00
Andrew Bartlett
ef7fb904a9 CVE-2014-8143:dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl
This requires an additional control to be used in the
LSA server to add domain trust account objects.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Thu Jan 15 14:54:47 CET 2015 on sn-devel-104
2015-01-15 14:54:47 +01:00
Andrew Bartlett
9d62b6764e CVE-2014-8143:dsdb: Allow use of dsdb_autotransaction_request outside util.c
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Change-Id: If6bc90305a1e9a5a92562a01ba7e44330de91cc1
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-01-15 12:33:08 +01:00
Andrew Bartlett
db004e079a CVE-2014-8143:pydsdb: Pull in UF_USE_AES_KEYS flag
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Change-Id: I36ad5ebc5d8a4811c41b59af90a3add4ae5fd857
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-01-15 12:33:08 +01:00
Garming Sam
e4213512d0 dsdb: Add tokenGroupsGlobalAndUniversal, tokenGroups, tokenGroupsNoGCAcceptable
This includes additional tests based directly on the docs, rather than
simply testing our internal implementation in client and server contexts,
that create a user and groups.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11022

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming-Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Dec 22 17:17:02 CET 2014 on sn-devel-104
2014-12-22 17:17:02 +01:00
Andrew Bartlett
eabc177bf6 dsdb: Ignore errors from search in dns_notify module
This ensures the error messages are unchanged

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2014-12-22 05:57:08 +01:00
Andrew Bartlett
bb886401e8 dsdb: Use a fixed set of attributes in search in dns_notify module
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2014-12-22 05:57:08 +01:00
Andrew Bartlett
e9f6dc730d dsdb: Use ldb_attr_cmp() for comparing objectclass names
This is the same as strcasecmp, but it is best to remain consistent.

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2014-12-22 05:57:08 +01:00
Samuel Cabrero
4fb29e9347 s4-dns: Reload DNS zones from dsdb when zones are modified through RPC or DRS
Setup a RPC management call on the internal DNS server triggered a new LDB
module which sniffs dnsZone object add, delete and modify operations. This
way the notification is triggered when zones are modified either from RPC or
replicated by inbound DRS.

Signed-off-by: Samuel Cabrero <samuelcabrero@kernevil.me>
(shadowed variable error corrected by abartlet)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2014-12-22 05:57:08 +01:00
Andrew Bartlett
1a012d591b dsdb: Only parse SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL as a DN
This avoids trying to parse some other rule, like bitwise and, that may be applied to this attribute

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2014-12-22 00:18:09 +01:00
Samuel Cabrero
afe6e576b9 s4:dsdb: Fix not freed temp memory context
Signed-off-by: Samuel Cabrero <samuelcabrero@kernevil.me>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-22 00:18:09 +01:00
Samuel Cabrero
913cd47875 dsdb: Define syntax access point oid string as a macro
Signed-off-by: Samuel Cabrero <samuelcabrero@kernevil.me>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-22 00:18:09 +01:00
Andrew Bartlett
172aa0ee38 dsdb: Improve code clarity for ldb_extended_dn_in_openldap mode
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2014-12-22 00:18:08 +01:00
Samuel Cabrero
c3ca217969 s4:dsdb/extended_dn_in: Fix DNs and filter expressions in extended match ops
Signed-off-by: Samuel Cabrero <samuelcabrero@kernevil.me>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-22 00:18:08 +01:00
Stefan Metzmacher
a6ecef4532 s4:dsdb/rootdse: expand extended dn values with the AS_SYSTEM control
Otherwise we can't find the GUID of the 'serverName' attribute
as ANONYMOUS.

This results in

  root@ub1204-161:~# ldbsearch -U% -H ldap://172.31.9.161 -b '' -s base --extended-dn serverName
  search error - LDAP error 1 LDAP_OPERATIONS_ERROR -  <00002020: operations error at ../source4/dsdb/samdb/ldb_modules/rootdse.c:567> <>

While it works as system:

  root@ub1204-161:~# ldbsearch -U% -H /var/lib/samba/private/sam.ldb -b '' -s base --extended-dn serverName
  # record 1
  dn:
  serverName: <GUID=348c35e1-04e3-4988-a32c-32478d584551>;CN=UB1204-161,CN=Serve
   rs,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=s4xdom,DC=base

  # returned 1 records
  # 1 entries
  # 0 referrals

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10949

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-12-12 17:48:27 +01:00
Jelmer Vernooij
7dbc58f524 Reduce number of places where sys.path is (possibly) updated for external module paths.
Change-Id: I69d060f27ea090d14405e884d1ce271975358c56
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Sun Nov 30 20:54:04 CET 2014 on sn-devel-104
2014-11-30 20:54:03 +01:00
Volker Lendecke
4083ba6fe5 dsdb: Remove a self-assignment
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-24 18:52:05 +01:00
Jelmer Vernooij
869a9f7a3a sam: Use samba.tests.subunitrun.
Change-Id: Ic2ac4b335cf805ddbd442a065c4eaf6ef2b210d9
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-24 10:46:05 +01:00
Jelmer Vernooij
4f75f17ba7 Use samba.tests.subunitrun in dsdb ldap and ldap_schema tests.
Change-Id: I51ddc55720a23013a2c6ae20e3225f027348083c
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-24 10:46:05 +01:00
Jelmer Vernooij
98b5380af6 Use samba.tests.subunitrun in urgent replication test.
Change-Id: I3e7a32876d557ac376326ab75e851298e874d584
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-24 10:46:05 +01:00
Jelmer Vernooij
d857e7b1a7 ldap: Use samba.tests.subunitrun.
Change-Id: I872654afb31a5eda8c88aac716f9ce79816e5f05
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-22 02:23:10 +01:00
Jelmer Vernooij
cfb5e9bbf2 deletetest: use samba.tests.subunitrun.
Change-Id: I13565c7c14ea186709ce1de9038ef840c5b766b8
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-22 02:23:10 +01:00
Jelmer Vernooij
6fb26c0e29 ldap_syntaxes: Use samba.tests.subunitrun.
Change-Id: Ib62b747876b4408fdc8ff44e9b4c63578e1a6408
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-22 02:23:10 +01:00
Jelmer Vernooij
3961bd68ca password lockout: Use samba.tests.subunitrun.
Change-Id: I848099d22acd4a0ce7d589de48eb72e2d180ceae
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-22 02:23:10 +01:00
Jelmer Vernooij
eae1efca41 passwords: Use samba.tests.subunitrun.
Change-Id: Ib806f63ef412fec264445eefd82146e5140b0bac
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-22 02:23:10 +01:00
Jelmer Vernooij
0c82bdda0f sec_descriptor: Use samba.tests.subunitrun.
Change-Id: I5caba3e27ad21cc5381883a823e0ec5e2966a264
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-22 02:23:10 +01:00
Jelmer Vernooij
fc0b8aac9d token_group: Use samba.tests.subunitrun.
Change-Id: Id7c247451532eded1f44ef9b1aa1808dd18098c6
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-22 02:23:10 +01:00
Jelmer Vernooij
330597507c sites: Use samba.tests.subunitrun.
Change-Id: Ic06e1a0f7174683b6b817a5412b8635145329c00
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-22 02:23:10 +01:00
Jelmer Vernooij
21280da0d6 sec_descriptor test: Simplify, use samba.tests.subunitrun module.
Change-Id: I4ffda49cf3e209eaa28fc83f6fd9ded47f0ad7ee
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-22 02:23:10 +01:00
Jelmer Vernooij
ee281c61d0 Move option handling into samba.tests.subunitrun.
Change-Id: I65a73b74854af636413f4f284147f3bcf28b6f82
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-22 02:23:10 +01:00
Jelmer Vernooij
24035a6b3e Move option parsing to samba.tests.subunitrun.
Change-Id: I2939c1b6ebb9739530efa9bc4667668cff7a7aeb
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-22 02:23:10 +01:00
Jelmer Vernooij
8d8d800a0f Add convenience class for old-style Samba subunit python tests.
Change-Id: I84a97cc71cfa99c14e0c93ec19ff9eea6149bb5a
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-22 02:23:10 +01:00
Jelmer Vernooij
1800bc567d dsdb.tests.acl: Create and run a single testsuite, should easy migration to regulary Python unit tests.
Change-Id: I89072d3af1d90e87a47c197d28943f47cedc5deb
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-19 18:30:07 +01:00
Jelmer Vernooij
d8177912be dsdb.tests.ldap: Create and run a single testsuite, should easy migration to regulary Python unit tests.
Change-Id: I07216ff1063e127b541bf4e5d6349d5a75cec678
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-19 18:30:07 +01:00
Jelmer Vernooij
7f0969d79a dirsync test: Create and run a single testsuite, should easy migration to regulary Python unit tests.
Change-Id: I6fbffd6453f8af966938943f2895bd6d93f8fb59
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-11-19 18:30:06 +01:00
Jelmer Vernooij
23ac8d130c urgent_replication: Use subunit reporting, remove allow_empty_output.
Change-Id: I6d479b218eff6c4292fbb99e4760bbd62ce1f380
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-10-14 06:44:07 +02:00
Andrew Bartlett
bf0db7ecc9 dsdb: Do not attempt to return beyond the end of the password history array
Found by AddressSanitizer

Change-Id: I82e35aea60726053c79510ba8ed3eedfaf553eb7
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Matthieu Patou <mat@matws.net>

Autobuild-User(master): Matthieu Patou <mat@samba.org>
Autobuild-Date(master): Mon Oct 13 08:28:15 CEST 2014 on sn-devel-104
2014-10-13 08:28:14 +02:00
Volker Lendecke
8686da231d dsdb: Fix a crash in an error return
In an error return we have

/* Back it out, if it fails on one */
for (i--; i >= 0; i--) {
	ldb_next_del_trans(data->partitions[i]->module);
}

With unsigned int i this will spin and del_trans somewhere far off :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-10-11 22:02:04 +02:00
Andrew Bartlett
22eb416d16 repl: Specify the target realm in dreplsrv_get_target_principal()
We know what realm we need to contact, so avoid trying to correctly get a referral from our KDC.

Andrew Bartlett

Change-Id: I154ff72f3176d581b64e0c67d4a9c5f1f76b7924
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Sep 30 14:58:50 CEST 2014 on sn-devel-104
2014-09-30 14:58:50 +02:00
Jelmer Vernooij
354f1461b4 acl: Fix typo: structrual -> structural
Change-Id: I859f62042e16d146ab4cb1490ab725d2bfa06db1
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-09-27 19:42:37 +02:00
Jelmer Vernooij
5ae9ada3a8 dsdb: Be less verbose when announcing kcc is being invoked.
Change-Id: I94ab7d92e7e4f4311f0b20b1072c3ad05155d068
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-09-27 19:42:36 +02:00
Andrew Bartlett
1c979b1cfc dsdb: improve debugging in DsCrackNameOneFilter
Change-Id: I64d8e1eb94d833dc8ebf18fecdf32a83470a087e
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
1
2014-09-01 00:36:42 +02:00
Andrew Bartlett
b6ade7d04b dsdb: Make log message more clear
Change-Id: Ibf3c55748e755d2f6dae57293bfde11cdf7ba3ae
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
2014-09-01 00:36:42 +02:00
Andrew Bartlett
c9f613f60d dsdb: Permit creation of partitions of type INSTANCE_TYPE_UNINSTANT
This is only allowed when we are creating the objects from a DsAddEntry call, not over LDAP.

Change-Id: Ieec6b07556d58741ec04fede8bf9940811f12a62
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
2014-09-01 00:36:42 +02:00
Andrew Bartlett
c11a89a2c1 join.py: Reinstate full_nc_list and make creation of NTDS-DSA object common
The new function join_ntdsdsa_obj() returns the object, to be added over LDAP or DsAddEntry().

Andrew Bartlett

Change-Id: I41ac256fb3d4edffc617af4ae580acd941b4de83

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
2014-09-01 00:36:41 +02:00
Andrew Bartlett
1fb79011c1 dsdb: Change acl module to look for instanceType flag rather than list of NCs
This avoids any DNs being a free pass beyond the ACL code, instead it is based on the CN=Partitions ACL.

Andrew Bartlett

Change-Id: Ib2f4abe0165e47fa4a71925d126c2eeec68df119
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-09-01 00:36:41 +02:00
Stefan Metzmacher
25ec8e8656 s4:samba_dnsupdate: cache the already registered records
This way we can delete records which are not used anymore.

E.g. if the ip address changed.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=9831

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-26 09:13:06 +02:00
Andrew Bartlett
3dfca72dba dsdb: Also redact the clearTextPassword input-only attribute
We go to a great deal of effort to avoid administrators posting their
passwords in Samba logs, and one of the ways we do that is to remove
them from internal ldif dumps Samba produces while operating as an AD
DC.

clearTextPassword is not a real attribute, but it functions as one for
an input path.

Change-Id: Iaacf3354fc9bfff18d6774f49b17a9ba962347d5
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Aug 16 01:05:07 CEST 2014 on sn-devel-104
2014-08-16 01:05:07 +02:00
Günther Deschner
cef0ee28ec s4-dsdb/cracknames: free realm from smb_krb5_principal_get_realm().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-08 16:37:36 +02:00
Günther Deschner
feabae7417 s4-dsdb/samdb: use smb_krb5_principal_get_comp_string in ldb ACL module.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-08 06:02:34 +02:00
Günther Deschner
3f7b80f691 s4-dsdb/samdb: use smb_krb5_make_principal for compatibility reasons with MIT.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-08-08 06:02:34 +02:00
Volker Lendecke
1dd64341d8 messaging4: Change irpc_servers_by_name to NTSTATUS
For me, counted arrays are easier to deal with than NULL-terminated
ones. Here we also had a "server_id_is_disconnection" convention, which
was not really obvious.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Jul 21 20:28:53 CEST 2014 on sn-devel-104
2014-07-21 20:28:53 +02:00
Stefan Metzmacher
04e9d020c9 s4:dsdb/samldb: don't allow 'userParameters' to be modified over LDAP for now
For now it's safer to reject setting 'userParameters' via LDAP,
as we'll not provide the same behavior as a Windows Server.

If someone requires that feature please report this in the following
bug reports!

Bug: https://bugzilla.samba.org/show_bug.cgi?id=8077
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10130

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul  9 11:07:51 CEST 2014 on sn-devel-104
2014-07-09 11:07:51 +02:00
Andrew Bartlett
d7b4d10aba dsdb: Always store and return the userParameters as a array of LE 16-bit values
This is not allowed to be odd length, as otherwise we can not send it over the SAMR transport correctly.

Allocating one byte less memory than required causes malloc() heap corruption
and then a crash or lockup of the SAMR server.

Andrew Bartlett

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10130
Change-Id: I5c0c531c1d660141e07f884a4789ebe11c1716f6
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2014-07-09 08:42:08 +02:00
Andrew Bartlett
1592eaa5c7 dsdb: Set syntax of userParameters to binary string, not unicode string
This means we continue to store the values as given on SAMR, assuming
that the SAMR buffer is little endian.  The syntax for this specific
object is forced to be a binary blob, so that it is not converted on
DRSUAPI.

This commit does not fix existing databases, nor pdb_samba_dsdb (used
by classicupgrade).

Andrew Bartlett

Bug: https://bugzilla.samba.org/show_bug.cgi?id=8077
Change-Id: I10bb6aaecc381194e3c0ce6b9163f961acbdcee1
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2014-07-09 08:42:07 +02:00
Stefan Metzmacher
d64bc6c9af s4:dsdb/repl_meta_data: make sure objectGUID can't be deleted
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9763

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-07-09 08:42:07 +02:00
Stefan Metzmacher
9e6349f81e s4:dsdb/extended_dn_in: don't force DSDB_SEARCH_SHOW_RECYCLED
We should take the controls the caller provided when we search
for existing objects.

A search with a basedn of '<GUID=....>' should result in LDB_ERR_NO_SUCH_OBJECT
is the object has isDeleted=TRUE.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10694

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-07-09 08:42:07 +02:00
Stefan Metzmacher
fa177273b8 s4:dsdb/kcc: use SHOW_RECYCLED instead of SHOW_DELETED in when deleting tombstone/deleted objects
SHOW_RECYCLED implies SHOW_DELETED.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10694

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-07-09 08:42:07 +02:00
Stefan Metzmacher
26fa0b97d0 s4:dsdb/schema_load: make error message more verbose
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-07-09 08:42:07 +02:00
Samuel Cabrero
ee32bc2cfb Order switch statements
Signed-off-by: Samuel Cabrero <scabrero@zentyal.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jul  7 07:47:44 CEST 2014 on sn-devel-104
2014-07-07 07:47:44 +02:00
Samuel Cabrero
d747372d28 idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo
Signed-off-by: Samuel Cabrero <scabrero@zentyal.com>
Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>
2014-07-07 05:22:33 +02:00
Andrew Bartlett
a0105b84b8 secrets: Ensure we store the secureChannelType when written to secrets.ldb
This will allow winbindd to know when we are an RODC
without needing to dig into sam.ldb.

Change-Id: Ibdfa37fe6269305ccc5db42479f4a8db5eea53f3
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
2014-07-04 02:52:35 +02:00
Andrew Bartlett
791c38282d dsdb: Do not refresh the schema using the wrong event context
What we now do is have the refresh function and module be on a
seperate object to the schema, only referring to the data and
not excuting on the original ldb and event loop.

That is, we never use another ldb context when calling the
refresh function, by binding the refresh handler to the
ldb and not the schema.

Andrew Bartlett

Change-Id: I5c323dda743cf5858badd01147fda6227599bc16
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-11 10:18:26 +02:00
Andrew Bartlett
8327321225 dsdb: Do not store a struct ldb_dn in struct schema_data
The issue is that the DN contains a pointer to the ldb it belongs to,
and if this is not kept around long enough, we might reference memory
after it is de-allocated.

Andrew Bartlett

Change-Id: I040a6c37a3164b3309f370e32e598dd56b1a1bbb
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-11 10:18:26 +02:00
Volker Lendecke
7c2b5e77b0 Use GUID_equal in a few places
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-06-10 19:19:13 +02:00
Andrew Bartlett
822b492728 dsdb: Do not give an error is metadata.tdb does not yet exist
Change-Id: I88ee188c776364fd66da388ce01fc9288aa2ded0
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-06-04 03:22:26 +02:00
Andrew Bartlett
401f555c28 dsdb: Do not permit nested event loops when in a transaction, use a nested event context
It is never safe to execute arbitary code inside a transaction - we
need to get in and get out, not run other events for the rest of the
server.

This patch avoids that by creating a private event loop during
transactions, so no unexpected operations fire, and returning the
original one when we finish it.

If an event fires during an LDB transaction, an unrelated operation
can occur during the transaction, and if the transaction were to be
cancelled, there would be a silent rollback (despite the client having
been indicated success).

Additionally, other processes could be called via IRPC that need to
operate on the database but are locked out due to the ongoing
transaction.

Andrew Bartlett

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10582
Change-Id: I22322fc006e61d7291da17cdf6431416ebb7b30f
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue May  6 13:36:20 CEST 2014 on sn-devel-104
2014-05-06 13:36:20 +02:00
Andrew Bartlett
543c5bf941 dsdb: Rename private_data to rootdse_private_data in rootdse
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10582

Change-Id: I349a2be67333ada86c19cd6d2ed283cd5bbeb2aa
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-05-06 11:14:06 +02:00
Andrew Bartlett
b19d80d0a9 dsdb: Make it harder to corrupt the database by requiring DBCHECK or RELAX for final object deletion
This kind of deletion can cause us to then replicate back a partial
object.  We allow dbcheck to directly remove totally corrupt objects
(missing an objectclass) by specifying both DBCHECK and RELAX, and the
tombstone sweep after 180 days is done with the RELAX control.

Andrew Bartlett

Change-Id: Ic21f68e507ba9b65e035ca568430e35e2d001c7d
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-05-03 07:57:12 +02:00
Stefan Metzmacher
5b22222421 s4:repl_meta_data: fix array assignment in replmd_process_linked_attribute()
Change-Id: I10357236108f68ab749ba0e1f07558302c573887
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-05-02 01:19:19 +02:00
Andrew Bartlett
086c06e361 kerberos: Remove un-used event context argument from smb_krb5_init_context()
The event context here was only specified in the server or admin-tool
context, which does not do network communication, so this only caused
a talloc_reference() and never any useful result.

The actual network communication code sets an event context directly
before making the network call.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr 28 02:24:57 CEST 2014 on sn-devel-104
2014-04-28 02:24:57 +02:00
Andrew Bartlett
7a26989d4c dsdb: Specify no event context to smb_krb5_init_context() in dsdb
These routines parse principals and generate keys only, no network
communication is done.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-04-28 00:09:21 +02:00
Andrew Bartlett
e266f610db selftest: Add test for password lockout
Change-Id: Ia690b83f82b5ad7b02b203ffdecd2e05066b6711
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:48 +02:00
Andrew Bartlett
05c2f83f26 dsdb: Allow SAMR server to return the computed, not actual badPwdCount
This matters after the lockout observation period has expired.

Note: that QueryUserInfo level 3 returns the raw badPwdCount value.

Andrew Bartlett

Change-Id: I7b304a50984072bc6cb1daf3315b4427443632a9
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Stefan Metzmacher
50b9748fc5 s4:dsdb/samldb: rework samldb_user_account_control_change()
- Removing ACB_AUTOLOCK/UF_LOCKOUT from the effective userAccountControl flags
  (combined with msDS-User-Account-Control-Computed) results in
  lockoutTime=0 (implying badPadCount=0).

- We also do more validation of the account type flags now.

Change-Id: If7f224cf60920037a0ae19a10d116ac265771a4c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 17:12:47 +02:00
Stefan Metzmacher
245d0f1b3d s4:dsdb/samldb: remove fantasy code from samldb_user_account_control_change()
Setting UF_PASSWORD_EXPIRED doesn't reset "pwdLastSet" to "0"!

Change-Id: I9e004195ad864b8b3fe036986b1087398d1f6fc5
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
afdd5fbd51 dsdb: check type with talloc_get_type_abort in samdb_set_password
Change-Id: Ie5b534c70dd87ecf58d6a830e38750ecf16eb855
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
c91823028f dsdb: Implement password lockout on LDAP password changes
To do this, and have the badPwdCount update stick, we must abort,
open, close and reopen transactions such that the badPwdCount update
is in it's own transaction.

To ensure the tests can confirm the correct behaviour here, we must
output the Windows error code in the error message.

Andrew Bartlett

Change-Id: I5b1515b26b308301cf90ce8a3c848a3cedee85a2
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
8a89f7f4bc dsdb: Move dsdb_update_bad_pwd_count to dsdb/common/util.c
This allows the password_hash code to call the same update routine.

Andrew Bartlett

Change-Id: I3d954469defa3f5d26ffc5ae0583ec7e1957ea11
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Stefan Metzmacher
1a483a8b4b s4:dsdb/samldb: add let lockoutTime=0 reset badPwdCount=0
See [MS-SAMR] 3.1.1.8.3 lockoutTime.

Change-Id: Ic384a8e2b88c8e9eb1859df99ee09451ebd49fec
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
3ed55210ff dsdb: collapse wrong password and no-password-hash errors into one handler
This avoids giving away too much information to an attacker.

Andrew Bartlett

Change-Id: Id0c0ec508304990e64e5d728396d0d0c1cd7f966
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
2dd71de11a dsdb: Add samdb_result_passwords_from_history helper function
Change-Id: I949c6c64551f68c4381b41b30120874ead82949e
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
526f98308a dsdb: give a better error message and return code on failed password change
Change-Id: I064a7e192caccbb5acc17ba385f1625425c176d1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00
Andrew Bartlett
a0de929009 dsdb: Put password lockout support in samdb_result_passwords()
This seems to be the best choke point to check for locked out
accounts, as aside from the KDC, all the password authentication and
change callers use it.

Andrew Bartlett

Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00
Andrew Bartlett
6f8fb163e0 dsdb: Rework samdb_result_acct_flags to use either userAccountControl or msDS-User-Account-Control-Computed
This allows us to avoid the domain lookup in the constructed attribute
when not required.

By using msDS-User-Account-Control-Computed the lockout and password
expiry checks are now handled in the operational ldb module.

Andrew Bartlett

Change-Id: I6eb94933e4602e2e50c2126062e9dfa83a46191b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00
Andrew Bartlett
77e4beb0e0 dsdb-operational: Implement msDS-UserPasswordExpiryTimeComputed
This assists in testing this aspect of
msDS-User-Account-Control-Computed, and is exposed in AD for clients
to query.

Andrew Bartlett

Change-Id: I10fd214b0585a16f8addb00c252f656419a03f4a
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00
Andrew Bartlett
1d266b4938 dsdb-operational: Implement msDS-User-Account-Control-Computed
This is needed to get consistent account lockout support across the whole server.

Andrew Bartlett

Change-Id: I2fa1e707d33f5567b6cb4e2b27e340fa9f40cee9
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00
Andrew Bartlett
9a3651ece1 dsdb-operational: Use a list for the extra attributes that may be required
Change-Id: Ifa2e006c9401e92e71d6588d6ea879c6f437cdd5
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00