IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The test suite needs to reflect the change from domailevel to "domain level" to fit the object-action model
Signed-off-by: Andrew Tridgell <tridge@samba.org>
The functionality of machinepwd has been moved to "domain machinepassword" to fit the object-action model
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Changed test suite to reflect the changes from setpassword to "domain setpassword" to fit the object-action model
Signed-off-by: Andrew Tridgell <tridge@samba.org>
The functionality in setppasword has now been moved to "user setpassword" to fit the object-action model
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This verifies that for NTLM authenticated connections, named pipe
forwarding works as expected, including the session keys.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This will allow the source3 auth code to call this without needing to
double-parse the SIDs
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
TODO: check why this is needed.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Jul 15 12:26:25 CEST 2011 on sn-devel-104
kcc_service struct gets a intrasite_code
boolean that is filled in via parametric parameter
kccsrv:intrasite = [true/false] in smb.conf. This
will allow us to continue to utilize old simple
KCC topology as continuing default while newer
intra-site topology matures further.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Thu Jul 14 00:19:12 CEST 2011 on sn-devel-104
We need the ability to utilize this function in a different
manner. KCC intra-site topology has already vetted the
replica as being appropriate to produce a repsFrom from.
We do not want kccsrv_add_repsFrom() to produce further
checking as was the case for simple topology. Thus if
we pass a NULL (res) parameter this extra check will
be skipped.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
kccsrv_replica_flags() and
kccsrv_add_repsFrom() need to be available to functions
outside kcc_periodic.c
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Utilized by KCC to carry the invocation id of the NTDSDSA
that we are replicating the name context from. Utilized
when NTDSConnection is created (much like dsa_guid tracks
the NTDSDSA objectGUID that we are replicating the name
context from).
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Previously this set an explicit (0x1) value whereas it
can now utilize NTDSCONN_OPT_IS_GENERATED from flags.h
Signed-off-by: Andrew Tridgell <tridge@samba.org>
A helper function for retrieving the ntds site settings
via standalone function call. Used within KCC
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Flags that were missing from flags.h or were incorrectly
defined inline to the kcc_topology.c code (and thus unusable
elsewhere). These are the NTDSConnection and NTDSDSA Site
settings flags.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
this fixes the DN to have a full GUID for new objects
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Jul 13 14:03:30 CEST 2011 on sn-devel-104
some DNs are are not setup with GUIDs during the provision because of
circular dependencies between objects. This adds a dbcheck pass to the
provision to fix those DNs
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this checks for missing backlinks or backlinks without a forward link
and optionally fixes them
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this allows you to force a reindex of the database
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this avoids the need for access to the secrets database
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
the samldb checks failed to account for the possibility of a member
being removed and added in the same modify operation. This happens
(for example) when dbcheck is fixing a SID in a DN.
The repl_meta_data.c code already has this check, it just wasn't
giving the right specialised error code for the 'member' attribute
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
It's not only a cache as we also support static records.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Jul 12 16:16:45 CEST 2011 on sn-devel-104
this is better than doing a schema search inside the dbcheck code
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Mon Jul 11 07:43:18 CEST 2011 on sn-devel-104
this allows conversion from a DRS attribute ID to a LDAP display name
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
when fixing missing attributes in replPropertyMetaData, allow user to
confirm changes, and check for exceptions
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
When an object is deleted, link pointed to it are marked as inactive.
When the same object is purged we do not remmove the link pointed to it
(we can't know them) so they stay in the database, it turns to be a
problem for Windows 2008.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
The usual use case is that you have a not complete linked attribute (ie.
without the SID) if we keep using the old dn, then the SID will never be
added.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This is needed because we can have more than 1 value in a single valued
attribute as we store also deleted values. So we do the check in repl_meta_data
and then indicate LDB to do the check.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
this makes dbcheck search over all objects, deleted or not. This
matters because when another DC replicates from this DC it replicates
the deleted objects as well, so invalid attributes in deleted objects
can cause problems on the new DC (for example, windows can get stuck
or even crash during the replication)
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
the objectclass_attrs validation that an object contains all mandatory
attributes is incorrect for deleted objects, as they get stripped of
some mandatory attributes when deleted (for example, objectCategory
gets stripped)
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
when extended_dn_in fails to resolve a GUID extended DN component, the
debug code assumed that it was a search operation, and accessed
ac->req->op.search.base, which is not valid for non-search DN
expansions.
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
This is handled by a common header and a .c file that is included into
both loadparm.c files.
In the process, _lp functions were renamed to lp__ to allow the common
function definition declarations to be used by source3 and source4
(which have different macro definitions).
The only parameter to change type is 'strict_locking' which was a
bool, and is now an int, to accommodate the 'Auto' value from source3.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Jul 8 12:35:56 CEST 2011 on sn-devel-104
This is to that the pyparam hooks can use the hooks to connect with
the s3 loadparm system. This now also includes per-service
parameters.
Andrew Bartlett
this asks the user if they want to remove an unknown attribute. You
can also choose 'all' which will auto-confirm all questions about
removing unknown attributes.
when asking the user to confirm an action, allow for an 'all'
choice, which will be used to allow the user to confirm all future
requests of the same type
this allows attributes not known in the schema to be removed if the
caller has set the RELAX control. This will be used by dbcheck to
allow cleaning of bad attributes from the database
We need to ensure that if this parses name.name_string as just one
val, then we don't read uninitialised and possibly unallocated memory.
Found by Adam Thorn <alt36@cam.ac.uk>
While we are checking that, we need to fix the strncasecmp() check to
first check if the string is the expected length, then check for a
match against sAMAccountName-without-doller, as otherwise we will
permit a string such as machinefoo to match a sAMAccountName of
machine.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Jul 1 03:55:00 CEST 2011 on sn-devel-104
As mit_samba_update_pac_data() doesn't support adding
S4U_DELEGATION_INFO to the pac (and I have no clue how to add that)
we should disable S4U2Proxy until this is implemented.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Jun 28 20:35:19 CEST 2011 on sn-devel-104
commit "heimdal Add support for extracting a particular KVNO from the database"
(f469fc6d4922d796f5c61bf43e3efc018e37b680 in heimdal/master
and 9b5e304cce in samba/master)
changed the windc_plugin interface, so we need to change the
version number.
metze
Pair-Programmed-With: Björn Baumbach <bb@sernet.de>
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Jun 24 20:35:30 CEST 2011 on sn-devel-104
For now this only works on the local sam.ldb, but it shouldn't be hard
to improve it to talk to remove servers.
Pair-Programmed-With: Björn Baumbach <bb@sernet.de>
metze
This way we can compare the already canonicalized principals,
while still passing the client specified target principal down
to the backend specific constrained_delegation() hook.
metze
As discussed in 'CH_DISPLAY and gettext' on the samba-technical list:
http://lists.samba.org/archive/samba-technical/2011-June/078190.html
Setting this to a value other than 'unix charset' does not make sense,
as any system where the filesytem charset does not equal the terminal
charset will already have problems with programs as simple as 'ls'.
It also means that our output could not be pasted as our input in
interactive programs or onto our command line, as we never did
translate in the DISPLAY -> UNIX direction.
The d_printf() calls are retained in case we need to revisit this, and
to support display_set_stderr().
Andrew Bartlett
Note: this doesn't work against a Samba4 KDC yet.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jun 22 18:17:43 CEST 2011 on sn-devel-104
this allows dbcheck to fix bad attributes
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Jun 22 12:27:06 CEST 2011 on sn-devel-104
if we search with a base DN that has both a GUID and a SID, then use
the GUID first. This matters for the S-1-5-17 SID.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
When searching using extended DNs, if there are multiple matches then
return an object not found error. This is needed for the case of a
duplicate objectSid, which happens for S-1-5-17
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Old KDCs may not support S4U2Self (or S4U2Proxy) and return tickets
which belongs to the client principal of the TGT.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jun 22 09:10:55 CEST 2011 on sn-devel-104
It's important that we don't store the tgt for the machine account
in the same krb5_ccache as the ticket for the impersonated principal.
We may pass it to some krb5/gssapi functions and they may use them
in the wrong way, which would grant machine account privileges to
the client.
metze
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Jun 22 07:59:30 CEST 2011 on sn-devel-104
When converting from DRS to ldb format for a BINARY_DN, don't add the
GUID extended DN element if the GUID is all zeros.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This makes it much easier and less error prone to add new parameters
as we merge the s3 and s4 loadparm systems.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Jun 21 04:41:54 CEST 2011 on sn-devel-104
Because we now always build the source3 code, we can link directly
against a private libnetapi and libsmbclient to test the behaviour of
these important APIs.
We use a private libnetapi_net_init(), and by using this interface
rather than the public one, we can ensure that the correct smb.conf is
loaded (as smbtorture4 is a Samba4 semantics binary).
The #include of the source3 includes.h is required to do the manual
lp_load().
Andrew Bartlett
These same names are use in the source3 popt code, which is called from
in libsmbclient and libnet. These are then included in the smbtorture
binary for testing
Andrew Bartlett
This removes the lang_tdb based varient, the only user of the lang_tdb
code is SWAT, which calls that directly.
'net' and 'pam_winbind' are internationalised using gettext.
Andrew Bartlett
This is simplistic. We need to support making TDB2 a standalone library,
but for now, we simply built it in-tree.
Once we have tdb1 compatibility in tdb2, we can rename this option to
--enable-tdb2.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
This is a helper for the common case of opening a tdb with a logging
function, but it doesn't do all the work, since TDB1 and TDB2's log
functions are different types.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
These don't exist in tdb2. The former is used in one weird place in
tdb1, and the latter not at all.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
TDB2 returns void here. tdb_unlockall will *always* return with the
database unlocked, but it will complain via the log function if it wasn't
locked.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
TDB2 returns a negative error number on failure. This is compatible
if we always check for < 0 instead of == -1.
Also, there's no tdb_traverse_read in TDB2: we don't try to make
traverse reliable any more, so there are no write locks anyway.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
TDB2 returns void here. tdb_transaction_cancel will *always* return
with the transaction cancelled, but it will complain via the log
function if a transaction wasn't in progress.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
TDB2 returns a negative error number on failure. This is compatible
if we always check for != 0 instead of == -1.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
TDB2 returns a negative error number on failure. This is compatible
if we always check for != 0 instead of == -1.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
We change all the headers and wscript files to use tdb_compat; this
means we have one place to decide whether to use TDB1 or TDB2.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
The two error tables need to be combined, but for now seperate the names.
(As the common parts of the tree now use the _common function,
errmap_unix.c must be included in the s3 autoconf build).
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Jun 20 08:12:03 CEST 2011 on sn-devel-104
Due to library link orders, this is already the function that is being
used. However we still need to sort out the duplicate symbol issues,
probably by renaming things.
Andrew Bartlett
This does not move statedir, leaving it in PREFIX/var/locks because
state files such as idmap are dangerous to move, as they might
re-create, causing chaos.
This isn't ideal, but I don't have a better solution right now.
Andrew Bartlett
The following changes are made since Samba 3.6:
* --with-ncalrpcdir and --with-nmbdsocketdir are replaced with --with-socket-dir
(with ntp_signd, winbindd, nmbd subdirs)
* This moves the winbind socket out of /tmp. Distributions have moved
this out of /tmp for quite some time now, and /var/run in the FHS
blessed location these days. --with-socketdir should point to
/var/run in a distribution package.
* Configuration files are expected in PREFIX/etc instead of PREFIX/lib
(they need to be moved manually)
* SWAT data files have moved to PREFIX/share/swat (alongside
PREFIX/share/setup containing samba4 provision templates).
* The --with-fhs option is no longer available (it was never very
useful, and major distributions (Debian, OpenSuSE, Fedora) either
specified every option (overriding the effect) or didn't specify it
at all.
* PID files are now in PREFIX/var/run, moved from PREFIX/var/locks
* The ncalrpc and nmbd sockets are now in PREFIX/var/run by default
The following changes are made for users of Samba3 binaries built with the top level build in master
* 'state' files are now expected to be in their Samba 3.6 location
PREFIX/var/locks (and will need to be moved manually)
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
With the fix introduced by Nadya in changeset
622ef6aed8 we are now able to generate
correct SD (at least the same as W2k3R2 with a Forest Level of 2003), so
there is no need for this fix anymore as it makes SDs for Forest Level
2003 and lower incorrect.
The system account was instanciated with wrong user an group SIDs, group
sid resulted being just the domain SID.
Bug seems to date from fbe6d155bf.
Andrew (B.) please check.
In order to make the function a bit more clearer and with less depth,
the selection of attribute that are not updated is split in two
functions depending on the fact that we are using mainly
replPropertyMetadata to make our choice or if we are using the list of
attributes that should, could or shouldn't be updated/created/deleted.
We need to syncronise these mappings, as the duplication of this
symobol in the build means that either may be called based only on
library link orders.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Jun 17 10:22:07 CEST 2011 on sn-devel-104
this prevents spurious error messages on client commands when when we
will fallback to NTLM authentication
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this call converts a set of attributes to DRSUAPI format and back to
ldb format. This has the effect of normalising the attributes using
the schema syntax rules
This changes commit 49352cafb4 to comply
with kblin's plans.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Thu Jun 16 10:14:52 CEST 2011 on sn-devel-104
This changes the controls option on ldb operations to be a keyword
argument, which is more consistent with general python
conventions. This also fixes the pydoc output to include the controls
option.
This allows validation of ldb messages in a ldb modify operation to be
bypassed, by setting validate=False. This is useful in the dbcheck
tool to allow for removing invalid empty attributes from the database
