Age | Commit message (Collapse) | Author | Files | Lines |
|
when we run out of RIDs in our RID Set pool then grab a new one from
the RID Manager object
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
We now create it automatically in the samldb module when the first
user is created.
The creation of the dns user also had to move to the _modify.ldif as
it now relies on the fSMO role being setup for the RID Manager
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
when we are the RID Manager we can create our own RID Set object when
the first user is created
|
|
We can't just use the callers callback directly otherwise the
ldb_module_done() is never called on the parent request, as the child
request is passed to the callback.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This should be used when you create a sub request and just want the
parent requests callback to be called when done.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This provides a convenient way to update a integer attribute with a
constrained delete/add
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This adds a module callable version of samdb_reference_dn(), which
finds a DN via a reference link
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
added a ldb add function for modules
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
we need to recognise a changetype of 'add'
|
|
This will end up having the RID Manager logic as well, so all the RID
pool allocation logic is in one spot
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This is the first step towards DRS-friendly RID allocation. We now get
the next rid from the RID Set object
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
We can't allocate a objectSID until we have rIDSetReferences, but that
is in the DC object, so we have to force the objectSID of the DC
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This returns the DN of our RID Set object
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
We will allocate RIDs from this set
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
This returns a 'reference' DN, which is a link to a DN, from the
specified object. It is then used by samdb_server_reference_dn() which
returns the serverReference DN, and samdb_rid_manager_dn() which
returns the rIDManagerReference DN.
|
|
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
directories as files
|
|
with security=share
|
|
This conforms to the behaviour of Windows 2003:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
This is supposed to fixes Bug #4347 .
Michael
|
|
incrementation
This is a preparatory patch for the last part in fixing bug #4347 .
Michael
|
|
This is in order to be able to do challenge response with the history,
so that this can be checked when an invalid password was entered:
If the given password is wrong but in the history, then the bad password
count should not be updated...
The "lucky" bit here is that the md5 has and the nt hash (md4) both are
16 bytes long.
This is part of the fix for bug #4347 .
Michael
|
|
This is to introduce a new format of the password history, maintaining backwards
compatibility: The old format was 16 byte hash + 16 byte md5(salt + nt hash).
The new format is 16 zero bytes and 16 bytes nt hash.
This will allow us to respect the last X entries of the nt password history
when deciding whether to increment the bad password count.
This is part of the fix for bug #4347 .
Michael
|
|
The code I just removed was checked in with e5466fffc286a99f as a bug fix for
https://bugzilla.samba.org/show_bug.cgi?id=3319. With the changes to
is_visible_file made with 9e8b8f8c16612 these lines have become unnecessary,
even with "hide unreadable = yes" dead msdfs symlinks show. This is because we
can not stat(2) them and default to showing them.
Why this change? I have a user who wants to use "hide unreadable" on msdfs
links. Because you can't edit acls on symlinks themselves, the user created the
targets as bogus, empty files that just exist as acl placeholders. With the
code in place that this patch removes, we never allow this to work.
Jeremy, please check! :-)
Thanks,
Volker
|
|
Guenther
|
|
|
|
pdb_update_sam_account
Log what went wrongl, and also call pdb_update_sam_account inside
become_root/unbecome_root: do the logging outside.
Michael
|
|
Michael
|
|
for use after sam_password_ok() has been called.
Michael
|
|
So that a later talloc_free would not harm. I could have used
talloc_move instead of talloc steal in make_server_info_sam(),
but this would have required a change of the signature.
Michael
|
|
This is in preparation to extending check_sam_security to also check
against the password history before updating the bad password count.
This way, sam_password_ok can more easily be reused for that purpose.
Michael
|
|
This way it is more explicit that there is no allocated data here
that may leak.
Michael
|
|
data_blob(mem_ctx, 16) does not use mem_ctx as a talloc ctx but
copies 16 bytes from mem_ctx into the newly allocated data blob.
This can not have been intentional. A blank uint8_t array of
length 16 is allocated by passing NULL instead of mem_ctx.
And using data_blob_talloc(mem_ctx, NULL, 16) adds the allocated
blank 16 byte array to mem_ctx - so this is what must have been
intended.
Michael
|
|
and removing bool variables and several checks.
Michael
|
|
Michael
|
|
|
|
|
|
|
|
|
|
|
|
if (current_history_len != pwHistLen) {
if (current_history_len < pwHistLen) {
}
}
The second "if" is a bit pointless here
|
|
|
|
|
|
|
|
Remove an indentation by the early return in
+ if (pwHistLen == 0) {
+ /* Set the history length to zero. */
+ pdb_set_pw_history(sampass, NULL, 0, PDB_CHANGED);
+ return true;
+ }
|
|
No functional change, this just removes an indentation level by the early
"return True;" in
+ if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) == 0) {
+ /*
+ * No password history for non-user accounts
+ */
+ return true;
+ }
Volker
|
|
|