Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
This is exactly that what Windows allows. It was proven by a blackbox test.
And we also need to deny add operations of builtin groups.
|
|
"isCriticalSystemObject" on modify operations
|
|
entries
They're only allowed to be created with the RELAX control specified.
|
|
This was done according to MS-SAMR 3.1.1.8.2
But do use it only for add operations at the moment.
|
|
Additionally clean up "samldb_fill_object" which is now much easier to
comprehend.
|
|
This was done according to MS-SAMR 3.1.1.8.1
I need to perform some RELAX checks since otherwise the provision wouldn't work
anymore.
|
|
|
|
|
|
|
|
This will reduce the noise from merges of the rest of the
libcli/security code, without this commit changing what code
is actually used.
This includes (along with other security headers) dom_sid.h and
security_token.h
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
|
|
This includes dom_sid.h and security_token.h and will be moved
to the top level shortly.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 03:35:36 UTC 2010 on sn-devel-104
|
|
The merged I plan in this area require spliting security.h into
two header files, a common header and a session.h for the
remaining source4-specific code.
Andrew Bartlett
|
|
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Tue Oct 12 02:12:29 UTC 2010 on sn-devel-104
|
|
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Mon Oct 11 23:22:33 UTC 2010 on sn-devel-104
|
|
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Mon Oct 11 21:13:25 UTC 2010 on sn-devel-104
|
|
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Mon Oct 11 19:14:58 UTC 2010 on sn-devel-104
|
|
|
|
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sun Oct 10 23:47:54 UTC 2010 on sn-devel-104
|
|
|
|
samdb-specific.
|
|
SAMDB_COMMON and DSDB_MODULE_HELPERS.
|
|
It's a bit redundant given that we have the "type" variable on "ac".
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Wed Oct 6 10:20:45 UTC 2010 on sn-devel-104
|
|
It may looks funny but the DN output prevents older ADUC versions (tested with
release 2000) to perform subtree deletes properly. Version 2008 has this fixed.
Additionally some smaller changes ("%u" for printing unsigned integers,
module name prefix, nicer line-wrap).
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Tue Oct 5 16:48:19 UTC 2010 on sn-devel-104
|
|
operations
- Perform only shallow copies (should be enough)
- Perform only one copy per operation (also on modifications)
- Build a new request on modify operations if needed ("modified" flag) - this
makes it look cleaner
- Fix an important bug: the "el" pointers could have changed after
modifications. Therefore we have to refresh them on the FLAG_DELETE checks
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Tue Oct 5 09:24:57 UTC 2010 on sn-devel-104
|
|
|
|
|
|
|
|
Let us do the distinction by real use and provision by the RELAX flag
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
We intend to see always all objects with the "show_deleted" control specified.
To see also recycled objects (beginning with 2008_R2 function level) we need to
use the new "show_recycled" control.
As far as I see this is only internal code and therefore we don't run into
problems if we do substitute it.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
This is needed if the SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE flag was specified
and the parent is renamed.
To be able to do this we also need to relax the constraint checks (using the
"isDeleted" proof).
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
MS-ADTS 3.1.1.3.4.1 and MS-ADTS 3.1.1.5.5
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE flag
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
The deleted objects (tombstones, recycled & deleted objects) are handled by
"repl_meta_data".
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
This is what Windows does
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
A typo prevented the right behaviour.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
we need to ensure we only ever compare USNs from the same originating
invocation ID.
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sat Oct 2 01:45:19 UTC 2010 on sn-devel-104
|
|
we could use old_el after the base message had been re allocated, due
to adding timestamps. We need to re-find the element before using it
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
It is more useful to fail the transaction and give the user an error
message than to assert when we have an error in the repl_meta_data
module
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
when we setup the krbtgt_NNNN account using the DCPROMO_OID control,
we also need to set an initial password for this account
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
A RODC cannot assume a role, and unwillingToPerform must be
returned if such request is sent via LDAP
|
|
If we don't we could show an old, incrorrect error
|
|
|
|
|
|
It is the same as ldb_request_add_control, except it will replace
an existing control.
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Mon Sep 27 19:00:38 UTC 2010 on sn-devel-104
|
|
It is currently enabled only if the request comes from the LDAP server, and is
disabled by default. Use acl:search=true in smb.conf to enable it.
It filters out all objects the user is not allowed to see, and all attributes
the user does not have RP on. Extended access not supported yet.
|
|
againts Windows
These tests will fail in make test as well if the acl_read module is enabled.
|
|
Similar to dsdb_check_access_on_dn, only it searches by guid.
|