summaryrefslogtreecommitdiff
path: root/source4/dsdb/common
AgeCommit message (Collapse)AuthorFilesLines
2013-06-13dsdb: remove a wrong comment in dsdb_check_access_on_dn_internal()Stefan Metzmacher1-4/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Jun 13 18:19:24 CEST 2013 on sn-devel-104
2013-06-13dsdb: don't allow a missing nTSecurityDescriptor in ↵Stefan Metzmacher1-3/+3
dsdb_get_sd_from_ldb_message() Every object has a nTSecurityDescriptor attribute. This also avoids potential segfaults in the callers. Signed-off-by: Stefan Metzmacher <metze@samba.org>
2013-06-13dsdb: use AS_SYSTEM | SHOW_RECYCLED for access check searchesStefan Metzmacher1-1/+7
We need AS_SYSTEM in order to get the nTSecurityDescriptor attribute. Also the result of this search not controlled by the client nor is the result exposed to the client. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-06-12dsdb: Allow dsdb_find_dn_by_guid to show deleted DNsAndrew Bartlett1-2/+4
This helps us in the KCC as we need to return the deleted DN for the GUID in DsReplicaGetInfo calls (tested for deleted servers against Windows 2008R2). Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-04-19s4:dsdb: Fix warnings about not set / set but unused / shadowed variablesMatthieu Patou1-3/+0
Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Apr 19 13:15:40 CEST 2013 on sn-devel-104
2013-03-05dsdb: Check for pointers before we deference them.Andreas Schneider1-7/+7
Reviewed-by: David Disseldorp <ddiss@samba.org>
2013-02-04dsdb/util: rework samdb_check_password() to support utf8Stefan Metzmacher1-5/+16
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2013-01-21dsdb: Ensure "authenticated users" is processed for group membershipsAndrew Bartlett1-0/+25
This change moves the addition of "Authenticated Users" from the very end of the token processing to the start. The reason is that we need to see if "Authenticated Users" is a member of other builtin groups, just as we would for any other SID. This picks up the "Pre-Windows 2000 Compatible Access" group, which is in turn often used in ACLs on LDAP objects. Without this change, the eventual token does not contain S-1-5-32-554 and users other than "Administrator" are unable to read uidNumber (in particular). Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21libcli/security: handle node initialisation in one spot in ↵Andrew Bartlett1-3/+2
insert_in_object_tree() This removes special-case for initalising the children array in insert_in_object_tree(). talloc_realloc() handles the intial allocate case perfectly well, so there is no need to have this duplicated. This also restores having just one place were the rest of the elements are intialised, to ensure uniform behaviour. To do this, we have to rework insert_in_object_tree to have only one output variable, both because having both root and new_node as output variables was too confusing, and because otherwise the two pointers were being allowed to point at the same memory. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-01s4:dsdb/common: use 01.01.1970 as last_sync_success for our entry in the ↵Stefan Metzmacher1-3/+4
uptodatevector This matches a Windows 2008R2 and 2012 server. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-01s4:dsdb/common: use LDB_SEQ_HIGHEST_SEQ for our entry in the uptodatevectorStefan Metzmacher1-2/+2
We should use the global highestCommittedUSN, not the per partition value. This matches a Windows 2008R2 and 2012 server. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-12-11s4:dsdb/common: only pass the DSDB_CONTROL_PASSWORD_HASH_VALUES_OID if requiredStefan Metzmacher1-7/+11
This should give the password_hash module a chance to detect if the called was the cleartext password or not. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/common: add pekList and msDS-ExecuteScriptPassword to ↵Stefan Metzmacher1-0/+2
DSDB_SECRET_ATTRIBUTES_EX See [MS-ADTS] 3.1.1.4.4 Extended Access Checks. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-06dsdb: Rename _res argument to _result.Jelmer Vernooij1-6/+6
Newer versions of heimdal include a macro that is unfortunately named '_res'. This change prevents the clash. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-09-01s4-dsdb: Remove unused variablesAndrew Bartlett1-3/+0
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Sep 1 05:10:47 CEST 2012 on sn-devel-104
2012-09-01s4-dsdb: Remove unused tmp_ctx leaked onto long-term ldb_contextAndrew Bartlett1-2/+0
This was found based on a log provided by Ricky Nance <ricky.nance@weaubleau.k12.mo.us>. Thanks Ricky! Andrew Bartlett
2012-08-14s4-dsdb: Use samdb_dn_is_our_ntdsa()Andrew Bartlett1-14/+3
This uses a GUID based comparison, and avoids re-fetching the samdb_ntds_settings_dn each time. Andrew Bartlett
2012-08-14s4-dsdb: Add samdb_dn_is_our_ntdsa()Andrew Bartlett1-0/+25
This is like samdb_reference_dn_is_our_ntdsa but without the attribute de-reference. Andrew Bartlett
2012-08-14s4-dsdb: Use samdb_reference_dn_is_our_ntdsa()Andrew Bartlett1-35/+4
2012-08-14s4-dsdb: Add helper function samdb_reference_dn_is_our_ntdsa()Andrew Bartlett1-1/+39
We often want to know if we own an FSMO role (for example). This tries to be more efficient by comparing the GUID, rather than the string DN, as this does not need to be re-fetched each time. Andrew Bartlett
2012-08-14s4-dsdb: Use ldb_dn_copy() rather than talloc_reference()Andrew Bartlett1-1/+1
As the normal case (outside provision) uses a copy, this avoids a case where a caller might modify a global variable accidentily. As suggested by metze. Andrew Bartlett
2012-08-14s4-libnet: Improve debugging of libnet_BecomeDC LDAP errorsAndrew Bartlett1-0/+2
2012-08-14s4-dsdb: Add mem_ctx argument to samdb_ntds_settings_dnAndrew Bartlett1-10/+18
As this value is calculated new each time, we need to give it a context to live on. If the value is the forced value during provision, a reference is taken. This was responsible for the memory leak in the replication process. In the example I was given, this DN appeared in memory 13596 times! Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Aug 14 10:05:14 CEST 2012 on sn-devel-104
2012-08-14s4-dsdb: Add constAndrew Bartlett1-4/+4
2012-06-27s4-dsdb when setting DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID make it ↵Andrew Bartlett1-1/+7
non-critical
2012-04-29s4:dsdb/common/util.c - samdb_is_pdc() - fail if the "fSMORoleOwner" ↵Matthias Dieter Wallnöfer1-1/+5
attribute has not been set
2012-03-20Move NS_GUID_string and NS_GUID_from_string to dsdb-common.Jelmer Vernooij2-0/+62
2012-02-25s4-lib: Remove unused samdb_msg_set_value()Ricky Nance1-15/+0
Found by callcatcher. Ricky Nance
2012-02-25s4-lib: Remove unused samdb_msg_set_string()Ricky Nance1-15/+0
Found by callcatcher. Ricky Nance
2012-02-25s4-lib: Remove unused samdb_msg_set_int()Ricky Nance1-15/+0
Found by callcatcher Ricky Nance
2012-01-24dsdb: Allow DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID to be specified as a flagAndrew Bartlett2-0/+8
2011-12-09s4:dsdb/common/util.c - test LDB result against LDB_SUCCESS as we are always ↵Matthias Dieter Wallnöfer1-1/+1
doing Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Fri Dec 9 12:00:03 CET 2011 on sn-devel-104
2011-11-18dsdb: Fix the password expiry calculationAmitay Isaacs1-1/+1
As per Section 3.1.1.4.5.26 [MS-ADTS.pdf], password is expired if pwdLastSet = null, or pwdLastSet = 0, or (maxPwdAge != 0x8000000000000000 and (ST - pwdLastSet) > maxPwdAge)
2011-11-02dsdb: Handle the case when extended rights string is NULLAmitay Isaacs1-4/+7
Pair-Programmed-With: Andrew Tridgell <tridge@samba.org> Signed-off-by: Andrew Tridgell <tridge@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Wed Nov 2 07:03:40 CET 2011 on sn-devel-104
2011-10-04s4-dsdb: fixed re-join of subdomainAndrew Tridgell1-3/+4
if we repeat the join of a subdomain then we try to re-create the NC for the subdomain during a DsAddEntry(). This allows that re-creation to succeed if the NC already exists
2011-10-04s4-dsdb: simplify samdb_is_gc()Andrew Tridgell1-28/+2
we already have a function for returning the NTDS options
2011-10-04s4-dsdb: added new control DSDB_MODIFY_PARTIAL_REPLICAAndrew Tridgell2-0/+67
this control tells the partition module that the DN being created is a partial replica, so it should modify the @PARTITION object to add the partialReplica attribute Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-09-22s4-dsdb: added NO_GLOBAL_CATALOG controlAndrew Tridgell2-1/+11
this control is used to ask samdb to not return searches with a basedn in partial repica partitions, which is needed to support the difference between a search on the 3268 GC ldap port and the non-GC 389 port
2011-09-22s4-dsdb: failing to find the object is not an error in dsdb_loadreps()Andrew Tridgell1-3/+8
we may not have replicated the partition yet, so this should be considered the same as having no repsFrom/repsTo
2011-09-08s4-dsdb: fixed compiler warningAndrew Tridgell1-1/+1
sid can be const Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-09-05s4-dsdb Print clearer error messages when invalid account flags are ↵Andrew Bartlett1-0/+9
specified on add
2011-08-26s4-dsdb Return ACL errors as ldb_errstring()Andrew Bartlett1-0/+3
This string is reported to the caller, which makes debugging much easier. Andrew Bartlett
2011-08-25s4-dsdb: added samdb_ntds_msdcs_dns_name()Andrew Tridgell1-2/+37
this gets the DNS name for a NTDS GUID, based on the forest DNS name Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
2011-08-25s4-dsdb: added samdb_dn_to_dns_domain()Andrew Tridgell1-0/+36
this converts a DC into the equivalent DNS domain. It is used when forming t_msdcs NTDS DNS names Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
2011-08-25s4-dsdb: assert that base DNs are used correctlyAndrew Tridgell1-0/+3
this will catch future programmer errors with incorrect base DNs Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-08-13s4-dsdb Give a less worrying error message on failure to get a transactionAndrew Bartlett1-1/+1
2011-08-13s4-dsdb Add ability to force a particular SID in the upgrade caseAndrew Bartlett1-1/+16
2011-08-13s4-dsdb Add flag to set DSDB_BYPASS_PASSWORD_HASH controlAndrew Bartlett2-0/+9
2011-08-12s4-dsdb: don't cache the NTDS settings DNAndrew Tridgell1-9/+8
this DN can change due to a server rename, so we cannot cache it. It is set by provision, but not anywhere else. This seems to not have a large performance impact Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-08-04s4-dsdb: added dn_format attribute of a dsdb_attributeAndrew Tridgell1-7/+0
this is faster than string comparisons during searches at runtime Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>