| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This could cause an all-zero GUID to be entered into the
replPropertyMetaData, which will then fail to be replicated to other
DCs.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
This ensures (and asserts) that we never write an all-zero GUID as an invocationID
to the database in replPropertyMetaData.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jun 13 18:19:24 CEST 2013 on sn-devel-104
|
|
dsdb_get_sd_from_ldb_message()
Every object has a nTSecurityDescriptor attribute.
This also avoids potential segfaults in the callers.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
We need AS_SYSTEM in order to get the nTSecurityDescriptor attribute.
Also the result of this search not controlled by the client
nor is the result exposed to the client.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
This helps us in the KCC as we need to return the deleted DN for the GUID
in DsReplicaGetInfo calls (tested for deleted servers against Windows 2008R2).
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Apr 19 13:15:40 CEST 2013 on sn-devel-104
|
|
Reviewed-by: David Disseldorp <ddiss@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
|
|
This change moves the addition of "Authenticated Users" from the very end of the
token processing to the start. The reason is that we need to see if
"Authenticated Users" is a member of other builtin groups, just as we
would for any other SID. This picks up the "Pre-Windows 2000 Compatible Access"
group, which is in turn often used in ACLs on LDAP objects.
Without this change, the eventual token does not contain S-1-5-32-554
and users other than "Administrator" are unable to read uidNumber
(in particular).
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
insert_in_object_tree()
This removes special-case for initalising the children array in
insert_in_object_tree(). talloc_realloc() handles the intial allocate
case perfectly well, so there is no need to have this duplicated.
This also restores having just one place were the rest of the elements
are intialised, to ensure uniform behaviour.
To do this, we have to rework insert_in_object_tree to have only one
output variable, both because having both root and new_node as output
variables was too confusing, and because otherwise the two pointers
were being allowed to point at the same memory.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
uptodatevector
This matches a Windows 2008R2 and 2012 server.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
We should use the global highestCommittedUSN, not the per partition value.
This matches a Windows 2008R2 and 2012 server.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
This should give the password_hash module a chance to detect if the called
was the cleartext password or not.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
|
|
DSDB_SECRET_ATTRIBUTES_EX
See [MS-ADTS] 3.1.1.4.4 Extended Access Checks.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
|
|
Newer versions of heimdal include a macro that is unfortunately named
'_res'. This change prevents the clash.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Sep 1 05:10:47 CEST 2012 on sn-devel-104
|
|
This was found based on a log provided by Ricky Nance
<ricky.nance@weaubleau.k12.mo.us>. Thanks Ricky!
Andrew Bartlett
|
|
This uses a GUID based comparison, and avoids re-fetching the
samdb_ntds_settings_dn each time.
Andrew Bartlett
|
|
This is like samdb_reference_dn_is_our_ntdsa but without the attribute de-reference.
Andrew Bartlett
|
|
|
|
We often want to know if we own an FSMO role (for example). This tries to be more
efficient by comparing the GUID, rather than the string DN, as this does not need
to be re-fetched each time.
Andrew Bartlett
|
|
As the normal case (outside provision) uses a copy, this avoids a case
where a caller might modify a global variable accidentily.
As suggested by metze.
Andrew Bartlett
|
|
|
|
As this value is calculated new each time, we need to give it a context to live on.
If the value is the forced value during provision, a reference is taken.
This was responsible for the memory leak in the replication process. In the
example I was given, this DN appeared in memory 13596 times!
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Aug 14 10:05:14 CEST 2012 on sn-devel-104
|
|
|
|
non-critical
|
|
attribute has not been set
|
|
|
|
Found by callcatcher.
Ricky Nance
|
|
Found by callcatcher.
Ricky Nance
|
|
Found by callcatcher
Ricky Nance
|
|
|
|
doing
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Dec 9 12:00:03 CET 2011 on sn-devel-104
|
|
As per Section 3.1.1.4.5.26 [MS-ADTS.pdf], password is expired if
pwdLastSet = null, or
pwdLastSet = 0, or
(maxPwdAge != 0x8000000000000000 and (ST - pwdLastSet) > maxPwdAge)
|
|
Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Nov 2 07:03:40 CET 2011 on sn-devel-104
|
|
if we repeat the join of a subdomain then we try to re-create the NC
for the subdomain during a DsAddEntry(). This allows that re-creation
to succeed if the NC already exists
|
|
we already have a function for returning the NTDS options
|
|
this control tells the partition module that the DN being created is a
partial replica, so it should modify the @PARTITION object to add the
partialReplica attribute
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this control is used to ask samdb to not return searches with a basedn
in partial repica partitions, which is needed to support the
difference between a search on the 3268 GC ldap port and the non-GC
389 port
|
|
we may not have replicated the partition yet, so this should be
considered the same as having no repsFrom/repsTo
|
|
sid can be const
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
specified on add
|
|
This string is reported to the caller, which makes debugging much easier.
Andrew Bartlett
|
|
this gets the DNS name for a NTDS GUID, based on the forest DNS name
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
|
|
this converts a DC into the equivalent DNS domain. It is used when
forming t_msdcs NTDS DNS names
Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
|
|
this will catch future programmer errors with incorrect base DNs
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
|
|
|
