IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
NULL should be used when doing all partition searches. The default
basedn should be used when wanting just the domain NC
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
when searching all partitions we must use the NULL basedn, or we will
miss partitions in multi-domain setups
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
In the upgrade process, set the administrator password from the
existing root or administrator account.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Need to copy the password from s3 for administrator/root to s4.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Added users/groups import from s3 using python wrapper for passdb.
Fix idmap entries for users/groups when migrating from s3 idmap.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
It is required in s3_upgrade script to migrate idmap database from s3 to s4.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This is required in upgrade_s3 script to migrate idmap database from s3 to s4
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
dom_sid_compare() function can return values other than -1, 0, 1.
Python requires compare function to return value from [-1, 0, 1].
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Thu Aug 18 02:58:55 CEST 2011 on sn-devel-104
when in FL 2000 we were not correctly deleting backlinks as we uses
dsdb_find_dn_by_guid() which doesn't find deleted objects. Modules
should use dsdb_module_dn_by_guid() which prevents going to the top
level, and finds deleted objects
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
added comments explaining the backlink deletion code, plus fix a use
of a bitwise operation in a boolean expression, and avoid calling
dsdb_functional_level() inside a loop
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This will allow an upgraded DC to keep its SID, while being upgraded
to AD. We also watch for the highest RID in the existing DB to set
next_rid for other additional users.
Andrew Bartlett
Use passdb backend to import/export users
Remove unused options for upgrade_from_s3 command (--blank) and credentials options
Config file is specified with -s/--configfile option and no need to specify as an argument.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this DN can change due to a server rename, so we cannot cache it. It
is set by provision, but not anywhere else.
This seems to not have a large performance impact
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
when joining another domain as a DC we should setup our dsServiceName
in @ROOTDSE to be a GUID so we can cope with later server renames
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this allows dsServiceName to be stored as an extended DN or GUID form
in @ROOTDSE, and its string form will be found at runtime.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
these are not needed now that the rootdse modules calculates the
validFSMOs attribute at runtime
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this changes the rootdse to compute the validFSMOs attribute at
runtime by checking the fSMORoleOwner attribute on the appropriate
DN. This avoids the need for the pdc_fsmo and naming_fsmo modules.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
s4:subtree_rename LDB module - fix the move/rename constraints
By the inspiration of an email request by ekacnet I have rechecked the
move/rename constraints and re-read the chapter 3.1.1.5.4.1 located in the
MS-ADTS technical documentation.
It really turns out that the constraint checking is only performed on
the root object of a request.
In addition add my copyright notice (I've written these constraint checks).
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Wed Aug 10 01:05:19 CEST 2011 on sn-devel-104
This happens if we have a custom schema - we need to build up the schema until
it loads, by converting more objects.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Aug 9 13:10:25 CEST 2011 on sn-devel-104
this can be used to force re-indexing of samdb when we change
something that affects index comparison, in this case the
canonicalisation of booleans
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this auto-normalises some attributes when they are added/modified. The
list that we auto-normalise is currently:
Boolean
INT32
INTEGER
UTC_TIME
This fixes a problem with groupType being stored in an unnormalised
form
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
If we pass variable references we don't get implicit casting!
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Aug 8 18:01:19 CEST 2011 on sn-devel-104
this replaces DN components in incoming filter expressions with the
full extended DN of the target, which allows search expressions based
on <GUID=> and <SID=> DNs, as well as fixing the problem with one-way
links in search expressions
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this is used when rewriting filter rules to replace a filter rule with
one that is guaranteed not to match
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this allows for searches like member=<SID=S-1-2-3>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
this is faster than string comparisons during searches at runtime
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
when we return a DN which is a one way link, fix the string DN
component by searching for the GUID and replacing the DN components
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this allows us to quickly determine if a DN is a one way link
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
this allows us to use dsdb_module_dn_by_guid() from levels below the
extended_dn_out module
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
This avoids having the same check in 3 different parts of the code
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Aug 3 12:45:04 CEST 2011 on sn-devel-104
The auth4_context is already in the gensec_security structure, which is
available by de-reference here anyway.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This allows the current behaviour of the NTLMSSP code to be unchanged
while adding a way to hook in an alternate implementation via an auth
module.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This is slightly less efficient, because we no longer keep a cache on
the gensec structures, but much clearer in terms of memory ownership.
Both gensec_session_info() and gensec_session_key() now take a mem_ctx
and put the result only on that context.
Some duplication of memory in the callers (who were rightly uncertain
about who was the rightful owner of the returned memory) has been
removed to compensate for the internal copy.
Andrew Bartlett
The startup and runtime functions that have no dependencies are moved
into the top level.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Aug 3 07:49:12 CEST 2011 on sn-devel-104
gpo fetch is remote->local and gpo create is local->remote
local is local filesystem and remote is smb share.
Need two functions to copy local->remote and remote->local.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
this allows us to deal with search elements containing characters that
must be escaped in LDAP
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Jul 29 05:33:03 CEST 2011 on sn-devel-104
In my rework of this function in 2006 with
459a2301a5 I ignored the incoming
handle, instead feching the LSA state again (dispite the commit
message indicating otherwise).
This means that data->access_mask is uninitialised, which doesn't
matter right now, but will once we start checking that.
Andrew Bartlett
ask the creds object for the password before prompting for the new
password in the user password change code, to ensure the user is asked
for the old password first
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Thu Jul 28 08:35:45 CEST 2011 on sn-devel-104
To copy the GPO files, use libcli python interface list() to get directory
listing and loadfile() to read the contents of the file.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Instead of using gpo dn as the key to refer to a gpo, use the gpo name
as the key.
If no URL is specified (-H option), find a writable DC and use that.
Extract a commonly used method as get_gpo_info() to find details of a GPO.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Update do_smb_connect function to return NTSTATUS rather than raise
python exception on error. Error checking done in py_smb_new().
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This command is a user-level command and differs from setpassword
command which is administrator command.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This module will support file system access using SMB.
based on smb_composite - loadfile(), savefile()
based on raw - getacl(), setacl()
Signed-off-by: Andrew Tridgell <tridge@samba.org>
The rest of the commands are available in python version of samba-tool.
C version of samba-tool is for testing only and will be phased out once
all the commands are ported to python.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Exceptions are captured at top-level samba-tool and reported using
the base class (Command) method show_command_error().
Signed-off-by: Andrew Tridgell <tridge@samba.org>
C version of samba-tool is now called samba-tool-c, which will be
removed as soon as all the samba-tool commands are ported to python.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Use the object names as <modulename>.<objectname> to correctly generate the
object hierarchy in pydoc.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Use the object names as <modulename>.<objectname> to correctly generate the
object hierarchy in pydoc.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Updated test suite invocations of newuser to "user add" as
the newuser functionality is now being moved to "user add"
Signed-off-by: Andrew Tridgell <tridge@samba.org>
To improve consistency, I've made sure all the commands take either a -H
or --URL when specifying a URL
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Windows seems to always canonicalize the principal in TGS replies.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Jul 26 03:25:06 CEST 2011 on sn-devel-104
when a child task exits we were firing a destructor on any inherited
messaging contexts, which could trigger a removal of the parents
message socket and messaging database entry.
This adds a new auto_remove flag to imessaging_init(), and exposes the
cleanup code for use by the stream service.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Fri Jul 22 08:09:06 CEST 2011 on sn-devel-104
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Thu Jul 21 04:58:01 CEST 2011 on sn-devel-104
this speeds up the dbcheck in provision to fix only the objects that
we know will need fixing
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
If the parent request specify the show_deleted control we must use it in
order to be able to see the deleted objects.
Also we just allow to trusted connections with the system account to
remove deleted objects, others receive an unwilling to perform.
a 'keytab' is a particular format known to administrators, whereas
'keys' is a bit too vague
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
As it is not always possible to determine the usage of a command solely based on the list of required and optional args, it is best
to have the subclasses always define it, rather than displaying an incorrect usage statement. Currently, all commands are subclassing the synopsis.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Fixed the bugs in the code to determine both the min and the max # of allowed arguments
Changed the argument suffix convention from "*" to "+" to represent one or more arguments as:
1. It follows the Regular expression convention ("*" means 0 or more)
2. It is what was missing in terms of functionality
NB Currently, no command is using the "*/+", but it is a good thing to have to help out the validation of the args if/when in the future
we have such need
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Created show_command_error method to handle errors in SuperCommand
Removed statement in SuperCommand to raise exception
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Caught exception whenever possible, added new check for newpassword to make sure it contains some chars
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Added [options] where needed, fixed others where filter or username was needed, renamed name to username
Signed-off-by: Andrew Tridgell <tridge@samba.org>
The option groups should be defined at the Command base class level as they are in common across all samba-tool commands.
Major move advantages:
1. more OOP approach
2. enforcing consistency across commands
3. avoiding the need of declaring for every new command
Signed-off-by: Andrew Tridgell <tridge@samba.org>
The prog should only be set if we want it to be different than the name of the program that executed it. I think that for better portability we should not set it and let it default to samba-tool.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
The update was necessary to reflect the move from join to domain join as part of the object-action work
Signed-off-by: Andrew Tridgell <tridge@samba.org>
The test suite needs to reflect the change from domailevel to "domain level" to fit the object-action model
Signed-off-by: Andrew Tridgell <tridge@samba.org>
The functionality of machinepwd has been moved to "domain machinepassword" to fit the object-action model
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Changed test suite to reflect the changes from setpassword to "domain setpassword" to fit the object-action model
Signed-off-by: Andrew Tridgell <tridge@samba.org>
The functionality in setppasword has now been moved to "user setpassword" to fit the object-action model
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This verifies that for NTLM authenticated connections, named pipe
forwarding works as expected, including the session keys.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This will allow the source3 auth code to call this without needing to
double-parse the SIDs
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
TODO: check why this is needed.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Jul 15 12:26:25 CEST 2011 on sn-devel-104
kcc_service struct gets a intrasite_code
boolean that is filled in via parametric parameter
kccsrv:intrasite = [true/false] in smb.conf. This
will allow us to continue to utilize old simple
KCC topology as continuing default while newer
intra-site topology matures further.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Thu Jul 14 00:19:12 CEST 2011 on sn-devel-104
We need the ability to utilize this function in a different
manner. KCC intra-site topology has already vetted the
replica as being appropriate to produce a repsFrom from.
We do not want kccsrv_add_repsFrom() to produce further
checking as was the case for simple topology. Thus if
we pass a NULL (res) parameter this extra check will
be skipped.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
kccsrv_replica_flags() and
kccsrv_add_repsFrom() need to be available to functions
outside kcc_periodic.c
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Utilized by KCC to carry the invocation id of the NTDSDSA
that we are replicating the name context from. Utilized
when NTDSConnection is created (much like dsa_guid tracks
the NTDSDSA objectGUID that we are replicating the name
context from).
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Previously this set an explicit (0x1) value whereas it
can now utilize NTDSCONN_OPT_IS_GENERATED from flags.h
Signed-off-by: Andrew Tridgell <tridge@samba.org>
A helper function for retrieving the ntds site settings
via standalone function call. Used within KCC
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Flags that were missing from flags.h or were incorrectly
defined inline to the kcc_topology.c code (and thus unusable
elsewhere). These are the NTDSConnection and NTDSDSA Site
settings flags.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
this fixes the DN to have a full GUID for new objects
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Jul 13 14:03:30 CEST 2011 on sn-devel-104
some DNs are are not setup with GUIDs during the provision because of
circular dependencies between objects. This adds a dbcheck pass to the
provision to fix those DNs
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this checks for missing backlinks or backlinks without a forward link
and optionally fixes them
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this allows you to force a reindex of the database
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
this avoids the need for access to the secrets database
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
the samldb checks failed to account for the possibility of a member
being removed and added in the same modify operation. This happens
(for example) when dbcheck is fixing a SID in a DN.
The repl_meta_data.c code already has this check, it just wasn't
giving the right specialised error code for the 'member' attribute
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
It's not only a cache as we also support static records.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Jul 12 16:16:45 CEST 2011 on sn-devel-104
this is better than doing a schema search inside the dbcheck code
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Mon Jul 11 07:43:18 CEST 2011 on sn-devel-104
this allows conversion from a DRS attribute ID to a LDAP display name
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
when fixing missing attributes in replPropertyMetaData, allow user to
confirm changes, and check for exceptions
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
When an object is deleted, link pointed to it are marked as inactive.
When the same object is purged we do not remmove the link pointed to it
(we can't know them) so they stay in the database, it turns to be a
problem for Windows 2008.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
The usual use case is that you have a not complete linked attribute (ie.
without the SID) if we keep using the old dn, then the SID will never be
added.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This is needed because we can have more than 1 value in a single valued
attribute as we store also deleted values. So we do the check in repl_meta_data
and then indicate LDB to do the check.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
this makes dbcheck search over all objects, deleted or not. This
matters because when another DC replicates from this DC it replicates
the deleted objects as well, so invalid attributes in deleted objects
can cause problems on the new DC (for example, windows can get stuck
or even crash during the replication)
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
the objectclass_attrs validation that an object contains all mandatory
attributes is incorrect for deleted objects, as they get stripped of
some mandatory attributes when deleted (for example, objectCategory
gets stripped)
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
when extended_dn_in fails to resolve a GUID extended DN component, the
debug code assumed that it was a search operation, and accessed
ac->req->op.search.base, which is not valid for non-search DN
expansions.
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
This is handled by a common header and a .c file that is included into
both loadparm.c files.
In the process, _lp functions were renamed to lp__ to allow the common
function definition declarations to be used by source3 and source4
(which have different macro definitions).
The only parameter to change type is 'strict_locking' which was a
bool, and is now an int, to accommodate the 'Auto' value from source3.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Jul 8 12:35:56 CEST 2011 on sn-devel-104
This is to that the pyparam hooks can use the hooks to connect with
the s3 loadparm system. This now also includes per-service
parameters.
Andrew Bartlett
this asks the user if they want to remove an unknown attribute. You
can also choose 'all' which will auto-confirm all questions about
removing unknown attributes.
when asking the user to confirm an action, allow for an 'all'
choice, which will be used to allow the user to confirm all future
requests of the same type
this allows attributes not known in the schema to be removed if the
caller has set the RELAX control. This will be used by dbcheck to
allow cleaning of bad attributes from the database
We need to ensure that if this parses name.name_string as just one
val, then we don't read uninitialised and possibly unallocated memory.
Found by Adam Thorn <alt36@cam.ac.uk>
While we are checking that, we need to fix the strncasecmp() check to
first check if the string is the expected length, then check for a
match against sAMAccountName-without-doller, as otherwise we will
permit a string such as machinefoo to match a sAMAccountName of
machine.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Jul 1 03:55:00 CEST 2011 on sn-devel-104
