| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Instead of doing ldb_in_list size(operational_remove) * (attrs_user +
attr_searched) * number of entries times to get the list of attributes to remove we construct this
list before the search and then use it for every entries.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Most of the time this flag is not set and so we can avoid the strcasecmp
in ldb_attr_cmp()
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jan 17 17:10:32 CET 2013 on sn-devel-104
|
|
If the sd_flags control is specified, we should return nTSecurityDescriptor
only if the client asked for all attributes.
If there's a list of only explicit attribute names, we should ignore
the sd_flags control.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
|
|
|
|
modifyTimeStamp is a generated attribute, for most object it's generated
directly from the whenChanged attribute. But for the CN=aggregate object
in the schema we have to handle it in a different way, that's because
for this object whenChanged!=modifyTimeStamp (as checked against Windows
2003R2 DCs) instead the modifyTimeStamp reflect the timestamp of the
most recently modified and loaded schema object (that is to the one with
the highest USN before the schema was reload due to timeout or by the
reloadSchemaNow command).
Some third party are using this information to know if they have to
update their schema cache and also to check that schema updates have
been correctly reloaded by the DC, a good example of this behavior is
exchange 2010.
|
|
Signed-off-by: Michael Adam <obnox@samba.org>
|
|
this was found by a flakey test in autobuild
|
|
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Mar 4 23:56:07 CET 2011 on sn-devel-104
|
|
"structuralObjectClass", "createTimestamp" and "modifyTimestamp" weren't
displayed anymore.
Reviewed by: Tridge
|
|
Reviewed by: Tridge
|
|
mapping
This has been removed accidentally by commit
a093e10896a4768dba0cd793a04b7d5d1366fee2.
Reviewed by: Tridge
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
it does exactly what we need here
Autobuild-User: Kamen Mazdrashki <kamenim@samba.org>
Autobuild-Date: Tue Feb 15 16:55:32 CET 2011 on sn-devel-104
|
|
This makes everything reference a server_info->sids list, which is now
a struct dom_sid *, not a struct dom_sid **. This is in keeping with
the other sid lists in the security_token etc.
In the process, I also tidy up the talloc tree (move more structures
under their logical parents) and check for some possible overflows in
situations with a pathological number of sids.
Andrew Bartlett
|
|
this preserves the request hierarchy for dsdb_module_*() calls inside
dsdb ldb modules
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
builtin groups are shown in user tokenGroups searches
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This removes a silly cross-dependency between the ldb moudle stack and auth/
Andrew Bartlett
|
|
This reverts a previous move to have this based around the auth
subsystem, which just spread auth deps all over unrelated code.
Andrew Bartlett
|
|
|
|
Autobuild-User: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
Autobuild-Date: Thu Nov 18 17:02:07 UTC 2010 on sn-devel-104
|
|
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Nov 9 22:43:44 UTC 2010 on sn-devel-104
|
|
"distinguishedName" attribute
It uses the DN from the returned message
|
|
|
|
|
|
Those values are actually ATTID values and such, they are used
for ATTIDs for Attributes, Classes and Syntaxes.
|
|
LDB_CONTROL_BYPASS_OPERATIONAL_OID
It's nicer to have this consistent with "BYPASS_PASSWORD_HASH".
|
|
The issue here is that we have not yet first cast to int32_t explicitly,
before we cast to an signed int to printf() into the %d or cast to a
int64_t before we then cast to a long long to printf into a %lld.
There are *no* unsigned integers in Active Directory LDAP, even the RID
allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities.
(See the schema, and the syntax definitions in schema_syntax.c).
The failure has been detected by Matthieu Patou on the buildfarm host "tridge"
due to a malformed "groupType" attribute.
The solution is to use the "%d" specifier. Either to use it directly - or better
(when possible) use the call "samdb_msg_add_uint" (which encapsulates it).
This patch changes such problematic situations.
|
|
This includes dom_sid.h and security_token.h and will be moved
to the top level shortly.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 03:35:36 UTC 2010 on sn-devel-104
|
|
We intend to see always all objects with the "show_deleted" control specified.
To see also recycled objects (beginning with 2008_R2 function level) we need to
use the new "show_recycled" control.
As far as I see this is only internal code and therefore we don't run into
problems if we do substitute it.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
NC's other than default NC had a parentGUID, due to an incorrect check of whether
the object has a parent. Fixed by checking object's instanceType instead.
|
|
struct dom_sid
This makes the structure much more like NT_USER_TOKEN in the source3/
code. (The remaining changes are that privilages still need to be merged)
Andrew Bartlett
|
|
|
|
this replaces "return LDB_ERR_OPERATIONS_ERROR" with "return ldb_operr(ldb)"
in places in the dsdb code where we don't already explicitly set an
error string. This should make is much easier to track down dsdb
module bugs that result in an operations error.
|
|
|
|
bypassed for some given attributes
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
|
|
|
|
|
|
|
|
This allows us to control what groups should be added in what use
cases, and in particular to more carefully control the introduction of
the 'authenticated' group.
In particular, in the 'service_named_pipe' protocol, we do not have
control over the addition of the authenticated users group, so we key
of 'is this user the anonymous SID'.
This also takes more care to allocate the right length ptoken->sids
Andrew Bartlett
|
|
We had to split up the auth module into a module loaded by main deamon
and a subsystem we manually init in the operational module.
Andrew Bartlett
|
|
This creates a new interface to the auth subsystem, to allow an
auth_context to be created from the ldb, and then tokenGroups to be
calculated in the same way that the auth subsystem would.
Andrew Bartlett
|
|
I need to change the functions this calls
Andrew Bartlett
|
|
recompiled by waf.
|
|
This means that the existing kvno will no longer be valid, all
unix-based domain members may need to be rejoined, and
upgradeprovision run to update the local kvno in
secrets.ldb/secrets.keytab.
This is required to match the algorithm used by Windows DCs, which we
may be replicating with. We also need to find a way to generate a
reasonable kvno with the OpenLDAP backend.
Andrew Bartlett
|
|
|
|
|
|
It's easier to just set it up when we can, then to deal with the
ordering issues in ldb startup. As long as we have it ready if a real
client ever asks for it, then we should be happy.
Andrew Bartlett
|
|
need them for more constructed attributes
With this patch we delete the helper attributes at the end where all constructed
attributes have already been computed.
|
