1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

3995 Commits

Author SHA1 Message Date
Stefan Metzmacher
edeb577a59 s4:dsdb/repl: make sure the working_schema prefix map is populated with the remote prefix map
We should create the working_schema prefix map before we try to
resolve the schema. This allows getting the same mapping (if there's not already
a conflict) and allows us to remove the implicit prefix mapping creation
in the prefix mapping lookup functions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12128

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-08-11 00:49:14 +02:00
Stefan Metzmacher
f905ddc104 s4:dsdb/schema: make dsdb_schema_pfm_add_entry() public and more useful
We allow a hint for the id from the remote prefix map.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12128

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-08-11 00:49:14 +02:00
Andrew Bartlett
29caafaf28 s4:dsdb/schema: Remove unused old schema from memory
This avoids confusion when reading the talloc dump from a ldb context that has
been the target of replication, as the dsdb_schema_copy_shallow() memory was
still around, if unused.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12115

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-08-11 00:49:14 +02:00
Andrew Bartlett
c533b60ceb s4:dsdb/repl: Improve memory handling in replicated schema code
This attempts to make it clear what memory is short term and what memory is long term

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12115

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-08-11 00:49:14 +02:00
Stefan Metzmacher
0a1627de6d s4:dsdb/schema: don't treat an older remote schema as SCHEMA_MISMATCH
It's perfectly valid to replicate from a partner with an older schema
version, otherwise schema changes would block any other replication
until every dc in the forest has the schema changes.

The avoids an endless loop trying to get schema in sync with the partner.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12115

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-08-11 00:49:14 +02:00
Stefan Metzmacher
386dbc428b s4:dsdb/schema: store struct dsdb_schema_info instead of a hexstring
This will simplify the schema checking in future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12115

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-08-11 00:49:14 +02:00
Stefan Metzmacher
ab63866e25 s4:dsdb/repl: avoid recursion after fetching schema changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12115

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-08-11 00:49:14 +02:00
Stefan Metzmacher
7143aed4e4 s4:dsdb/schema: don't change schema->schema_info on originating schema changes.
The next reload will take care of it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12114

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-08-11 00:49:14 +02:00
Jeremy Allison
1ddd01dd21 s4: repl: Ensure all error paths in dreplsrv_op_pull_source_get_changes_trigger() are protected with tevent returns.
Otherwise dreplsrv_op_pull_source_get_changes_trigger() could infinitely recurse.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Aug  6 01:24:05 CEST 2016 on sn-devel-144
2016-08-06 01:24:05 +02:00
Andrew Bartlett
eeb594ce93 dsdb: Limit potential stack use when parsing extended DNs
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-07-28 10:06:12 +02:00
Garming Sam
fa6411657f replmd: Send replicated update OID for forward links
(The backward link case needs to be tested)

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-28 10:06:09 +02:00
Garming Sam
2bb5f7d3ce replmd: Remove data field on DSDB_CONTROL_REPLICATED_UPDATE_OID
There were no users of the data, and it added additional complexity

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-28 10:06:09 +02:00
Garming Sam
15e621773d replmd: Check dsdb_dn for syntax errors
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-28 10:06:09 +02:00
Volker Lendecke
9e676b25dd dsdb: Fix CID 1364520 Incorrect expression (EVALUATION_ORDER)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jul 26 23:48:19 CEST 2016 on sn-devel-144
2016-07-26 23:48:19 +02:00
Garming Sam
1f4d9355a2 AddressSanitizer: Initialize for kcc_topology.c
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
2016-07-25 13:56:11 +02:00
Stefan Metzmacher
32a254d1dd s4:dsdb/replicated_objects: don't skip notifications on resolved conflicts
We should propagate resolved conflicts immediately.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jul 23 03:18:58 CEST 2016 on sn-devel-144
2016-07-23 03:18:58 +02:00
Stefan Metzmacher
049b50766a s4:dsdb/repl_meta_data: remember originating updates when applying replicated changes
The caller needs to know about them in order to decide about possible
notifications.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-22 23:34:22 +02:00
Stefan Metzmacher
f1bb8f69df s4:dsdb/tests: add UF_SMARTCARD_REQUIRED tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-22 23:34:21 +02:00
Stefan Metzmacher
acb208625b s4:dsdb/password_hash: add the UF_SMARTCARD_REQUIRED password reset magic
When UF_SMARTCARD_REQUIRED is set to an account we need to remove
the current password and add random NT and LM hashes (without updating
the pwdLastSet field.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-22 23:34:21 +02:00
Andrew Bartlett
281b73f124 build: Add hints on what libraries to install for gpgme support on failure
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jul 22 19:51:09 CEST 2016 on sn-devel-144
2016-07-22 19:51:08 +02:00
Stefan Metzmacher
763acdc2e7 s4:dsdb/samdb: optionally store package_PrimarySambaGPGBlob in supplementalCredentials
It's important that Primary:SambaGPG is added as the last element.
This is the indication that it matches the current password.
When a password change happens on a Windows DC,
it will keep the old Primary:SambaGPG value, but as the first element.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-07-22 16:03:27 +02:00
Stefan Metzmacher
81190f910a s4:dsdb/samdb: add configure checks for libgpgme
This will be used to store the cleartext utf16 password
GPG encrypted as 'Primary:SambaGPG' in the
supplementalCredentials attribute.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-07-22 16:03:27 +02:00
Garming Sam
fbc26289e5 samba_kcc: Enable the python samba_kcc
For any reasonably large domain, the old KCC is impractical as the dense
mesh topology causes replication pulses.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-21 06:37:08 +02:00
Garming Sam
c11629b6ad drepl: Fix a typo
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-21 06:37:07 +02:00
Stefan Metzmacher
f9a4d0d2a0 s4:dsdb/password_hash: explicitly set SUPPLEMENTAL_CREDENTIALS_SIGNATURE
Typically this is automatically set in ndr_push_supplementalCredentialsBlob(),
but we need to change that behavior in order to handle strange formated
values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-07-20 21:27:17 +02:00
Douglas Bagnall
bbdace4b2c VLV tests: remove vestigial pdb stub
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jul 19 17:22:51 CEST 2016 on sn-devel-144
2016-07-19 17:22:51 +02:00
Douglas Bagnall
465b7bf827 VLV tests: add tests with show_deleted control
These tests add a few deleted users and ensure they are VLV-able.

In a `make test` context there will be other deleted users lying
around, so we can't assert the expected results of the search without
looking first.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-19 13:41:12 +02:00
Douglas Bagnall
31707cdeaa VLV: fix handling with show_deleted and similar controls
The first search in each round of VLV performs the search then saves
the results in the form of an array of GUIDs, which subsequent calls
refer to to get different ranges from the same search. These
subsequent calls make an individual search for each GUID. If the
original search had the show_deleted control, the array may contain
GUIDs for deleted items, which would not be seen on the later
searches without the same control.

So we save all controls except the VLV itself and the sort control
(which won't affect the search for a single GUID) and reuse them on
the  subsequent VLV searches.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-19 13:41:12 +02:00
Douglas Bagnall
8bb14af584 VLV tests: comment typo
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-19 13:41:12 +02:00
Douglas Bagnall
929ec47c2a VLV tests: reduce test duplication hence elapsed time
This makes before/after lattice sparser for the slower tests. While
we're doing that, some of the  tests are changed to traverse the
lattice in a different order just in case that matters.

There is very little chance that any particular combination of before
and after parameters will behave uniquely wrongly.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-19 13:41:12 +02:00
Andrew Bartlett
6b458a1a8c drs: pass the forced-replication flag from DsReplicaSync to GetNCChanges
This ensures we and sync from a server with DISABLE_OUTBOUND_REPL set

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2016-07-19 13:41:11 +02:00
Andrew Bartlett
da66a89bb4 repl: Remove check for parentGUID being NULL in dsdb_convert_object_ex()
We find that Windows 2012R2 sends a NULL parent_guid here, probably when no change to name is replicated.

That is, if there has not been a rename, this is not required information, as we
can just merge with the existing object, not matter where it is

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2016-07-19 13:41:11 +02:00
Garming Sam
31ffe97178 extended_dn_out: Force showing of one-way links if they exist
Signed-off-by: Garming Sam <garming@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-15 10:01:29 +02:00
Garming Sam
00e828a8a8 link_attrs: Add tests for one way links (and pseudo one-way)
Tested against Win2012R2. The deactivated link control has no effect on either
one way links or pseudo ones (only two-way ones presumably).

Signed-off-by: Garming Sam <garming@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-15 10:01:29 +02:00
Douglas Bagnall
4cb565bc87 dsdb tests: add linked attribute tests
Note that this test will not work properly across ldap as the
marked-deleted linked attributes will not appear.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-15 10:01:28 +02:00
Douglas Bagnall
5ce969d0c7 dsdb: add vanish links control
Normally linked attributes are deleted by marking them as with RMD flags,
but sometimes we want them to vanish without trace. At those times we
set the DSDB_CONTROL_REPLMD_VANISH_LINKS control.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
2016-07-15 10:01:28 +02:00
Douglas Bagnall
b7b229a424 repl_meta_data: free context on error in replmd_modify_la_delete()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-15 10:01:28 +02:00
Douglas Bagnall
5d201591e3 replmd_modify_delete: check talloc_new()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-15 10:01:28 +02:00
Douglas Bagnall
ebed182e34 s4/dsdb/repl_meta_data: use local bool version of flag
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-15 10:01:28 +02:00
Volker Lendecke
be39b73ccd dsdb: Fix CID 1363810: Null pointer dereferences
The if-condition explicitly tests for new_schema==NULL, so this seems to be a
valid error case. The DEBUG statement would segfault in this case.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jul 13 06:34:33 CEST 2016 on sn-devel-144
2016-07-13 06:34:33 +02:00
Andrew Bartlett
8a5a9045ad dsdb: Improve debugging during SD recursion failure
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Wed Jul 13 02:59:25 CEST 2016 on sn-devel-144
2016-07-13 02:59:25 +02:00
Andrew Bartlett
ba8e8687bd dsdb: Avoid search on * in replmd_replicated_apply_next()
A search on * can be quite expensive if we have to post-process any of the results

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-07-12 23:24:13 +02:00
Andrew Bartlett
fb9af9727f Revert "dsdb: Disable tombstone_reanimation module until we isolate what causes flaky tests"
This reverts commit 252b62c54e.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-07-09 15:06:19 +02:00
Stefan Metzmacher
7ea5ec0f28 s4:dsdb/tests: add RestoreUserPwdObjectTestCase test
This is the same as RestoreUserObjectTestCase, but we
set the password on add and reanimate.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-09 15:06:19 +02:00
Stefan Metzmacher
55932d7ecd s4:dsdb/tests: improve the RestoreUserObjectTestCase test
We verify attributes, values and their replication metadata after
each step (add, delete, reanimate).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-09 15:06:19 +02:00
Stefan Metzmacher
cf19ab651a s4:dsdb/tests: improve tombstone_reanimation varifications
We should do case sensitive checks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-09 15:06:19 +02:00
Stefan Metzmacher
16d36603e8 s4:dsdb/tests: make tombstone_reanimation.py executable
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-09 15:06:19 +02:00
Stefan Metzmacher
7bfefa9ae2 s4:dsdb/tests: make use assertAttributesEqual() in RestoreUserObjectTestCase()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-09 15:06:19 +02:00
Stefan Metzmacher
c16b30c411 s4:dsdb/tombstone_reanimate: restructure the module logic
Now we keep all state in struct tr_context and split
the preparation and exectution of sub requests into
helper functions.

The most important change is that we now
pass mod_req to dsdb_user_obj_set_defaults(),
so that it can add controls to it.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-09 15:06:19 +02:00
Stefan Metzmacher
272d6478a2 s4:dsdb/common: prepare dsdb_user_obj_set_defaults() for tombstone reanimation
accountExpires gets a different value, logonHours is not updated,
operatorCount and adminCount are added.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-09 15:06:19 +02:00
Stefan Metzmacher
0350e3a42a s4:dsdb/repl_meta_data: remove secret attributes on delete
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-09 15:06:19 +02:00
Stefan Metzmacher
5287e4046d s4:dsdb/repl_meta_data: sort preserved_attrs and add "msDS-PortLDAP"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-09 15:06:19 +02:00
Stefan Metzmacher
73d9f8bef7 s4:password_hash: correctly update pwdLastSet on deleted objects.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-09 15:06:19 +02:00
Stefan Metzmacher
6d4c4855c9 s4:dsdb/samdb: add const to dsdb_make_object_category()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-09 15:06:19 +02:00
Garming Sam
f060811a9f schema: raise debug level
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-08 10:01:20 +02:00
Garming Sam
657e31450c schema: Remove unnecessary schema reload code
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-08 10:01:20 +02:00
Stefan Metzmacher
26d117c2a2 s4:dsdb/password_hash: force replication meta data for empty password attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-08 10:01:20 +02:00
Stefan Metzmacher
b0501a1cb0 s4:dsdb/common: add a replication metadata stamp for an empty logonHours attribute
When a user object is created it gets a metadata stamp for logonHours,
while the logonHours attribute has no value.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-08 10:01:20 +02:00
Stefan Metzmacher
d243996341 s4:samba_dsdb: add "dsdb_flags_ignore" module
This module removes internal flags from ldb_message_elements.
Typically the repl_meta_data module handles DSDB_FLAG_INTERNAL_FORCE_META_DATA,
but there're some cases where we don't use that module.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-08 10:01:20 +02:00
Stefan Metzmacher
1ca71aa152 s4:dsdb/samdb: add DSDB_FLAG_INTERNAL_FORCE_META_DATA
With this it's possible to add a replPropertyMetaData entry for an empty
attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-08 10:01:19 +02:00
Andreas Schneider
38b7bed93c s4-dsdb: Add missing header file for write() and close()
This fixes compilation with gcc 4.8.5.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-07-06 19:07:16 +02:00
Andrew Bartlett
51d2779a60 schema: Reorder dsdb_set_schema() to unlink the old schema last
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-07-06 15:35:17 +02:00
Andrew Bartlett
2a90606417 dsdb: Remove 120 second delay and USN from schema refresh check
We now refresh it once the schema changes, so that replication can
proceed right away.  We use the sequence number in the metadata.tdb.

The previous commit added a cache for this value, protected by
tdb_seqnum().

metadata.tdb is now opened at startup to provide this support.

Note that while still supported, schemaUpdateNow is essentially rudundent:
instead, to ensure we increment the sequence number correctly, we unify that check
into repl_meta_data at the transaction close.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-07-06 15:35:17 +02:00
Andrew Bartlett
5abcdd56ba dsdb: Remove use of schema USN in samldb_add_handle_msDS_IntId
This is not a frequent enough operation to warrent a cache, and the USN will be removed
from the schema code shortly

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-07-06 15:35:17 +02:00
Andrew Bartlett
bad502fd86 schema: Make the fetch of the schema version fast
Use the tdb_seqnum() to avoid needing locks to check if the schema has not changed

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-07-06 15:35:17 +02:00
Bob Campbell
6e378546ce provision: Ignore duplicate attid and governsID check
During the provision this causes a huge performance hit as these two
attributes are unindexed.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
2016-07-06 15:35:17 +02:00
Bob Campbell
965361aa92 password_hash: Make an error message clearer
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Tue Jul  5 03:47:52 CEST 2016 on sn-devel-144
2016-07-05 03:47:52 +02:00
Bob Campbell
21295155cc check_password_script: Add a DEBUG message for timeouts
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-05 00:00:15 +02:00
Garming Sam
878fa6ef7d check-password-script: Allow AD to execute these scripts
In contrast to source3, this is run as root and without substitution.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-05 00:00:14 +02:00
Stefan Metzmacher
193de1c0e9 s4:dsdb/tests: let password_lockout.py verify the logonCount values
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Stefan Metzmacher
20ad79fecb s4:dsdb/tests: let password_lockout.py validate the lastLogon and lastLogonTimestamp interaction
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Stefan Metzmacher
72d16f9900 s4:dsdb/tests: let password_lockout.py test with all combinations of krb5, ntlmssp and lockOutObservationWindow
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Stefan Metzmacher
ca874c200e s4:dsdb/tests: let password_lockout.py verify more fields in _readd_user()
The results differ depending on Kerberos or NTLMSSP usage
and the lockOutObservationWindow.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Stefan Metzmacher
4b35d540fa s4:dsdb/tests: let password_lockout.py copy user{name,pass} from the template in insta_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
2c4612243a s4:dsdb/tests: let password_lockout.py use creds and other_ldb as function arguments
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
a37eef6b7d s4:dsdb/tests: let password_lockout.py use userpass variables in all functions
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
e760319526 s4:dsdb/tests: let password_lockout.py use other_ldb variables instead of self.ldb3
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
f03d490b7b s4:dsdb/tests: let password_lockout.py use userdn variables in all functions
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
da4e419adf s4:dsdb/tests: let password_lockout.py make use of self.addCleanup() to cleanup objects
This is easier than doing it by hand...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
73fb24c2e4 s4:dsdb/tests: let password_lockout.py use _readd_user() for testuser3 too
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
860c6b1e8f s4:dsdb/tests: let password_lockout.py pass creds as argument to _readd_user()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
f301623550 s4:dsdb/tests: let password_lockout.py use user{name,pass,dn} variables in _readd_user()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
a9722a17ee s4:dsdb/tests: let password_lockout.py pass username,userpass optionally to insta_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
025e573d84 s4:dsdb/tests: let password_lockout.py let _readd_user() return the ldb connection as user
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
26a96d2964 s4:dsdb/tests: let password_lockout.py make use of the _readd_user() helper function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
7b7d7be244 s4:dsdb/tests: let password_lockout.py add a _readd_user() helper function
This is a complete copy of the code that's currently inline.
I'm doing this in multiple steps in order to keep the diff
in a reviewable state.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
27d68469e2 s4:dsdb/tests: let password_lockout.py make the LDAP error string checks more useful
We should first check if the error number is as expected and
then check for a specific WERROR in the error string.

We also add the full error string as msg to assertTrue(),
so we'll actually see it if the assertion is wrong.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
58173f28ae s4:dsdb/tests: let password_lockout.py cross-check the lastLogon value with samr
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
9e6c22dbbe s4:dsdb/tests: let password_lockout.py reduce the values for lockoutDuration and lockOutObservationWindow
This reduces the runtime of the test while still producing reliable results.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
a35a5e9022 s4:dsdb: add some const to {samdb_result,dsdb}_effective_badPwdCount()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
e81d25a870 s4:dsdb/common: remove unused samdb_result_force_password_change()
The logic is incomplete and the correct logic is already available
via the constructed "msDS-UserPasswordExpiryTimeComputed" attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Jeremy Allison
1d4b20d4f3 s4: ldb: Ignore case of "range" in sscanf as we've already checked for its presence.
https://bugzilla.samba.org/show_bug.cgi?id=11838

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-29 23:09:17 +02:00
Stefan Metzmacher
e0777da00b s4:dsdb/tests: add pwdLastSet tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jun 27 08:52:48 CEST 2016 on sn-devel-144
2016-06-27 08:52:48 +02:00
Stefan Metzmacher
f77c82d950 s4:dsdb/samldb: pwdLastSet = -1 requires Unexpire-Password right
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-27 05:00:18 +02:00
Stefan Metzmacher
bafa0166ee s4:dsdb/samldb: fix comment "lockoutTime" reset as per MS-SAMR 3.1.1.8.10
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-27 05:00:18 +02:00
Stefan Metzmacher
1d808bb5d7 s4:dsdb/password_hash: only allow pwdLastSet as "0" or "-1"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-27 05:00:18 +02:00
Stefan Metzmacher
b6933b2fda s4:dsdb/password_hash: allow pwdLastSet only changes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-27 05:00:18 +02:00
Stefan Metzmacher
cada33bb97 s4:dsdb/password_hash: make it possible to specify pwdLastSet together with a password change
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-27 05:00:18 +02:00
Stefan Metzmacher
e536dbd447 s4:dsdb/password_hash: handle the DSDB_CONTROL_PASSWORD_DEFAULT_LAST_SET control
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-27 05:00:17 +02:00
Stefan Metzmacher
9baae34d44 s4:dsdb/password_hash: make the DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET code path more robust
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-27 05:00:17 +02:00