IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The biggest change consists in the implementation of the Windows Server
return size formula MIN(*r->out.num_entries, 1+(r->in.max_size/SAMR_ENUM_USERS_MULTIPLIER).
"size_t" counters aren't really needed here (we don't check data lengths).
And we save the result in a certain "num_sids" variable which is of type
"unsigned".
This is a rewrite of the lookup_rids code, using a query based on the
extended DN for a clearer interface.
By splitting this out, the logic is able to be shared, rather than
copied, into a passdb wrapper.
Andrew Bartlett
This is a rewrite of the group membership lookup code, using the
stored extended DNs to avoid doing the lookup into each member to find
the SID
By splitting this out, the logic is able to be shared, rather than
copied, into a passdb wrapper.
Andrew Bartlett
Adapt the two functions for the restructured "password_hash" module. This
means that basically all checks are now performed in the mentioned module.
An exception consists in the SAMR password change calls since they need very
precise NTSTATUS return codes on wrong constraints ("samr_password.c") file
The "count" size specifiers I typed "uint32_t" since they're often returned as
an "uint32_t" (consider the IDL file). LDB counters need to be "signed" if they
count till a limit of a "gendb*" call or "unsigned" if they count directly the
number of objects.
This should return NT_STATUS_INVALID_PARAMETER.
This makes samba pass the first part of the samr-lockout test.
This constraint is documented here for the samr server:
http://msdn.microsoft.com/en-us/library/cc245667%28PROT.10%29.aspx
MS-SAMR 3.1.1.6 Attribute Constraints for Originating Updates
and here for the ldap backend:
http://msdn.microsoft.com/en-us/library/cc223462(PROT.10).aspx
MS-ADTS 3.1.1.5.3.2 Constraints
So the check should actually be moved down into the backend,
i.e. under dsdb/samdb/ldb_modules - TODO..
Michael
In general functions that don't return any memory should not take a memory context.
Otherwise it is too easy to have a bug like this where memory is leaked
This allows us to reuse a ldb context if it is open twice, instead
of going through the expensive process of a full ldb open. We can
reuse it if all of the parameters are the same.
The change relies on callers using talloc_unlink() or free of a parent
to close a ldb context.
This patch adds a system_session cache, preventing us from having to
recreate it on every ldb open, and allowing us to detect when the same
session is being used in ldb_wrap
In this code part under certain circumstances we can end up with an empty message.
Since our new behaviour denies them (like the real AD) we need to bypass them
on LDB modify calls.
When doing some tests with the NT User Manager for Domains on s4 I noticed that the
handling of the primary group for a user wasn't correct. So I fixed this.
Also some cosmetic changes (tab indent corrections).
A single AD server can only host a single domain, so don't stuff about
with looking up our crossRef record in the cn=Partitions container.
We instead trust that lp_realm() and lp_workgroup() works correctly.
Andrew Bartlett
The ldb_val is length-limited, and while normally NULL terminated,
this avoids the chance that this particular value might not be, as
well as avoiding a cast.
Andrew Bartlett
I'm very glad we have such a comprehensive testsuite for the SAMR
password change process, as it makes this a much easier task to get
right.
Andrew Bartlett
This uses a virtual attribute 'clearTextPassword' (name chosen to
match references in MS-SAMR) that contains the length-limited blob
containing an allegidly UTF16 password. This ensures we do no
validation or filtering of the password before we get a chance to MD4
it. We can then do the required munging into UTF8, and in future
implement the rules Microsoft has provided us with for invalid inputs.
All layers in the process now deal with the strings as length-limited
inputs, incluing the krb5 string2key calls.
This commit also includes a small change to samdb_result_passwords()
to ensure that LM passwords are not returned to the application logic
if LM authentication is disabled.
The objectClass module has been modified to allow the
clearTextPassword attribute to pass down the stack.
Andrew Bartlett
The 'comment' element in a number of domain structures is called
oem_information. This was picked up actually because with OpenLDAP
doing the schema checking, it noticed that 'comment' was not a valid
attribute.
The rename tries to keep this consistant in both the LDB mappings and
IDL, so we don't make the same mistake in future.
This has no real schema impact, as this value isn't actually used for
anything, as 'comment' was not used in the provision.
Andrew Bartlett
(This used to be commit 65dc0d5365)
Now that we don't create users/domain groups/aliases in the builtin
domain, we hit some bugs in the server-side implementation of the
enumeration functions.
In essence, it turns out to be: don't treat 0 as a special case.
Also, fix up the PDC name to always be returned. I'm sure nothing
actually uses it, particularly for BUILTIN...
Andrew Bartlett
(This used to be commit 353bb79f56)
The gendb_*() API does not return error codes, and mixes error returns
with the count of returned entries.
Andrew Bartlett
(This used to be commit facbc8dfa5)
This reworks quite a few parts of our provision system to use
CN=NETBIOSNAME as the domain for member servers.
This makes it clear that these domains are not in the DNS structure,
while complying with our own schema (found by OpenLDAP's schema
validation).
Andrew Bartlett
(This used to be commit bda6a38b05)
More correctly handle expired passwords, and do not expire machine accounts.
Test that the behaviour is consistant with windows, using the RPC-SAMR test.
Change NETLOGON to directly query the userAccountControl, just because
we don't want to do the extra expiry processing here.
Andrew Bartlett
(This used to be commit acda1f69bc)
We need to be far more granular bout this - in particular, we need a
decide LDAP -> NTSTATUS conversion.
Andrew Bartlett
(This used to be commit 30fc3752c7)
to prove it is correct.
This should fix bug #4824: User Manager for Domains - Account Expires.
Thanks!
Andrew Bartlett
(This used to be commit e5f0744d62)
machine accounts are not subject to password policy in Win2k3 R2 (at
least in terms of password quality).
In testing this, I found that Win2k3 R2 has changed the way the old
ChangePassword RPC call is handled - the 'cross-checks' between new LM
and NT passwords are not required.
Andrew Bartlett
(This used to be commit 417ea885b4)
SAMR. This can't be done in the ldb templates code, as it doesn't
happen over direct LDAP.
As noted in bug #4829.
Andrew Bartlett
(This used to be commit 3bfa6dbf7d)
Any SAMR client (usrmgr.exe in this case) that attempted to set a
property to a zero length string found instead the the old value was
kept.
In fixing this, rework the macros to be cleaner (add the
always-present .string) to every macro, and remove the use of the
samdb_modify() and samdb_replace() wrappers where possible.
Andrew Bartlett
(This used to be commit b05fe69304)
Should fix another part (list of domains in usrmgr incorrectly
including accounts) of bug #4815 by mwallnoefer@yahoo.de.
Andrew Bartlett
(This used to be commit 7f7e4fe298)
- The icons in usermgr were incorrect, because the acct_flags were
not filled in (due to missing attribute in ldb query)
- The Full name was missing, and the description used as the full
name (due to missing attributes in ldb query and incorrect IDL)
To prove the correctness of these fixes, I added a substantial new
test to RPC-SAMR-USERS, to ensure cross-consistancy between
QueryDisplayInfo and QueryUserInfo on each user.
This showed that for some reason, we must add ACB_NORMAL to the
acct_flags on level 2 queries (for machine trust accounts)...
Getting this right is important, because Samba3's RPC winbind methods
uses these queries.
Andrew Bartlett
(This used to be commit 9475d94a61)
that we had the wrong objectClass for OU=Domain
Controllers,${DOMAINDN} (was CN=Domain Controllers,${DOMAINDN})
This fixes both the SAMR server and the LDIF templates.
Andrew Bartlett
(This used to be commit 625a9e6c04)
wants to check for an existing domain join account, and fails. This
test shows that we need to return NT_STATUS_NONE_MAPPED when nothing
matches. (not yet tested if this helps vista).
Andrew Bartlett
(This used to be commit 7f3671bf11)
"ntPwdHash" => "unicodePwd"
"lmPwdHash" => "dBCSPwd"
"sambaLMPwdHistory" => "lmPwdHistory"
"sambaNTPwdHistory" => "ntPwdHistory"
Note: you need to reprovision after this change!
metze
(This used to be commit dc4242c09c)
way to setup a Samba4 DC is to set 'server role = domain controller'.
We use the fSMORoleOwner attribute in the base DN to determine the PDC.
This patch is quite large, as I have corrected a number of places that
assumed taht we are always the PDC, or that used the smb.conf
lp_server_role() to determine that.
Also included is a warning fix in the SAMR code, where the IDL has
seperated a couple of types for group display enumeration.
We also now use the ldb database to determine if we should run the
global catalog service.
In the near future, I will complete the DRSUAPI
DsGetDomainControllerInfo server-side on the same basis.
Andrew Bartlett
(This used to be commit 67d8365e83)
This patch changes a lot of the code in ldb_dn.c, and also
removes and add a number of manipulation functions around.
The aim is to avoid validating a dn if not necessary as the
validation code is necessarily slow. This is mainly to speed up
internal operations where input is not user generated and so we
can assume the DNs need no validation. The code is designed to
keep the data as a string if possible.
The code is not yet 100% perfect, but pass all the tests so far.
A memleak is certainly present, I'll work on that next.
Simo.
(This used to be commit a580c871d3)
* Move dlinklist.h, smb.h to subsystem-specific directories
* Clean up ads.h and move what is left of it to dsdb/
(only place where it's used)
(This used to be commit f7afa1cb77)
- creation of ForeignSecurityPrincipals
- template duplication code
Rework much of the LSA server to pass the RPC-LSA test. Much of the
server code was untested. In implementing the LSA Accounts feature, I
have opted to have it only create entires when privilages are applied,
and not to delete entries, but to delete the privilages.
We skip some parts of the test, but it is much better than not testing
it at all.
Andrew Bartlett
(This used to be commit 10eeea6da4)
still a couple of unimplemented functions, but this is far better than
not testing this at all. In particular, this exercises the
password_hash module.
Specific changes:
- Add support for SetDomainInfo
- Add many more info levels to QueryDomainInfo
- Set a domain comment in RPC-SAMR, and verify it is kept
- Refactor QueryUserInfo not to always serach for all attributes
- Add QueryDiplayInfo3 and QueryDomainInfo2 as aliased calls
- Make OemChangePassword2 search under the samdb_base_dn(), so it
finds the user when partitions are active.
- Skip SetSecurity, DisplayIndex, MemberAttributesOfGroup and
'Multiple' alias operations in RPC-SAMR for Samba4
- Add RPC-SAMR as a 'slow' RPC test (it is quite slow)
Andrew Bartlett
(This used to be commit 01d25c9d6c)
This change is required for compatibility with the OSX client, in
particular, but returning 0x80000002 rather than -2147483646 violates
what LDAP clients expect in general.
Andrew Bartlett
(This used to be commit 81f3cd1c45)
Remove some autogenerated headers (which had prototypes now autogenerated by pidl)
Remove ndr_security.h from a few places - it's no longer necessary
(This used to be commit c19c2b51d3)
if the 'password does not expire' flag has been set, filling in the
PAC and netlogon reply correctly if so.
Andrew Bartlett
(This used to be commit c530ab5dc6)
sambaNTPassword. Likewise lmPwdHistory -> sambaLMPwdHistory.
The idea here is to avoid having conflicting formats when we get to
replication. We know the base data matches, but we may need to use a
module to munge formats.
Andrew Bartlett
(This used to be commit 8e608dd4bf)
Because we don't know the syntax of unicodePwd, we want to avoid using
that attribute name. It may cause problems later when we get
replication form windows.
I'm doing this before the tech preview, so we don't get too many
supprises as folks upgrade databases into later versions.
Andrew Bartlett
(This used to be commit 097d9d0b7f)
using pre-calculated passwords for all kerberos key types.
(Previously we could only use these for the NT# type).
The module handles all of the hash/string2key tasks for all parts of
Samba, which was previously in the rpc_server/samr/samr_password.c
code. We also update the msDS-KeyVersionNumber, and the password
history. This new module can be called at provision time, which
ensures we start with a database that is consistent in this respect.
By ensuring that the krb5key attribute is the only one we need to
retrieve, this also simplifies the run-time KDC logic. (Each value of
the multi-valued attribute is encoded as a 'Key' in ASN.1, using the
definition from Heimdal's HDB. This simplfies the KDC code.).
It is hoped that this will speed up the KDC enough that it can again
operate under valgrind.
(This used to be commit e902274321)
different computer account types. (Earlier code changes removed the
BDC case).
We don't use the TemplateDomainController, so just have a
TemplateServer in provision_templates.ldif
Andrew Bartlett
(This used to be commit c4520ba2e6)
This is for use on user-supplied arguments to printf style format
strings which will become ldb filters. I have used it on LSA, SAMR
and the auth/ code so far.
Also add comments to cracknames code.
Andrew Bartlett
(This used to be commit 8308cf6e04)
for netlogon as well) to change/set a user's password, given only
their SID.
This avoids the callers doing the lookups, and also performs the
actual 'set', as these callers do not wish any further buisness with
the entry.
Andrew Bartlett
(This used to be commit 060a2a7bcc)
ldap. Also ensure we put a objectclass on our private ldb's, so they
have some chance of being stored in ldap if you want to
(This used to be commit 1af2cc067f)
authenticated session down into LDB. This associates a session info
structure with the open LDB, allowing a future ldb_ntacl module to
allow/deny operations on that basis.
Along the way, I cleaned up a few things, and added new helper functions
to assist. In particular the LSA pipe uses simpler queries for some of
the setup.
In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't
been worked on (other than making it continue to compile) since January,
and I think the features of this module are being put into ldb anyway.
I have also changed the partitions in ldap_server to be initialised
after the connection, with the private pointer used to associate the ldb
with the incoming session.
Andrew Bartlett
(This used to be commit fd7203789a)
