summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb/ldb_modules
AgeCommit message (Collapse)AuthorFilesLines
2013-01-21dsdb-acl: use acl_check_access_on_objectclass() instead of ↵Stefan Metzmacher1-8/+13
acl_check_access_on_class() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: Use the structural objectClass in acl_check_access_on_attribute()Andrew Bartlett1-16/+16
This commit enters the GUID into the object tree so that that access rights assigned to the structural objectClass are also available, as well as rights assigned to the attribute property groups. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: Pass the structural objectClass into acl_check_access_on_attributeAndrew Bartlett3-20/+57
This will, when the GUID is entered into the object tree (not in this commit) ensure that access rights assigned to the structural objectClass are also available, as well as rights assigned to the attribute property groups. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: Remove unused get_oc_guid_from_message()Andrew Bartlett1-19/+0
Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: ask for the objectClass attribute if it's not in the scope of the ↵Andrew Bartlett1-1/+16
clients search This will be used later. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: use dsdb_get_structural_oc_from_msg() rather than ↵Andrew Bartlett1-8/+7
class_schemaid_guid_by_lDAPDisplayName This uses dsdb_get_last_structural_objectclass(), which encodes this ordering knowledge in one place in the code, rather than using this uncommented magic expression: (char *)oc_el->values[oc_el->num_values-1].data Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: Use dsdb_get_structural_oc_from_msg() in acl_rename()Andrew Bartlett1-12/+14
Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: Use dsdb_get_structural_oc_from_msg() in acl_modify()Andrew Bartlett1-8/+10
Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: add acl_check_access_on_objectclass() helperStefan Metzmacher1-0/+39
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: Add helper function dsdb_get_structural_oc_from_msg()Andrew Bartlett1-0/+13
This will eventually replace get_oc_guid_from_message(), returning the full dsdb_class. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: attr is not optional to acl_check_access_on_attribute()Stefan Metzmacher1-25/+24
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: dsdb_attribute_by_lDAPDisplayName() is needed for all attributesStefan Metzmacher1-16/+18
"clearTextPassword" is the only exception. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: introduce a 'el' helper variable to acl_modify()Stefan Metzmacher1-12/+11
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: introduce a 'msg' helper variable to acl_modify()Stefan Metzmacher1-20/+20
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-17dsdb-operational: Avoid doing the ldb_attr_cmp if bypass flag is not setMatthieu Patou1-1/+1
Most of the time this flag is not set and so we can avoid the strcasecmp in ldb_attr_cmp() Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Jan 17 17:10:32 CET 2013 on sn-devel-104
2013-01-17dsdb: Do not hold the transaction over the IRPC call to perform a role transferAndrew Bartlett1-1/+26
This avoids one samba process locking out another from the DB. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-01-17drs-fsmo: Improve handling of FSMO role takeover.Andrew Bartlett1-1/+10
This needs to be more async, and give less scary errors. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-01-17dsdb-acl: calculate sDRightsEffective based on "nTSecurityDescriptor"Stefan Metzmacher1-3/+11
acl_check_access_on_attribute should never be called with attr=NULL because we don't check access on an attribute in that case Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Matthieu Patou <mat@matws.net> Autobuild-User(master): Matthieu Patou <mat@samba.org> Autobuild-Date(master): Thu Jan 17 11:21:10 CET 2013 on sn-devel-104
2013-01-17dsdb-acl: add helper variable 'ldb' in acl_sDRightsEffectiveStefan Metzmacher1-1/+2
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Matthieu Patou <mat@matws.net>
2013-01-17dsdb-acl: fix the order of special and system checksStefan Metzmacher1-22/+61
First we check for a special dn, then for system access. All allocations happen after this checks in order to avoid allocations we won't use. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Matthieu Patou <mat@matws.net>
2013-01-17dsdb-acl: Do not apply ACL on special DNs to hide attributes that the user ↵Matthieu Patou1-0/+4
shouldn't see This fix frequent reindexing when using python script with a user that is not system. The reindexing is caused by ACL module hidding (removing) attributes in the search request for all attributes in dn=@ATTRIBUTES and because dsdb_schema_set_indices_and_attributes checks that the list of attributes that it just calculated from the schema is the same as the list written in @ATTRIBUTES, if not the list is replaced and a reindexing is triggered. Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-01-17dsdb-acl: talloc_free the private context when we pass to the next moduleStefan Metzmacher1-0/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Matthieu Patou <mat@matws.net>
2013-01-17dsdb-acl: don't call dsdb_user_password_support() if we don't use the resultStefan Metzmacher1-2/+8
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Matthieu Patou <mat@matws.net>
2013-01-15dsdb-acl: Run sec_access_check_ds on each attribute proposed to modify (bug ↵Andrew Bartlett1-28/+27
#9554 - CVE-2013-0172) This seems inefficient, but is needed for correctness. The alternative might be to have the sec_access_check_ds code confirm that *all* of the nodes in the object tree have been cleared to node->remaining_bits == 0. Otherwise, I fear that write access to one attribute will become write access to all attributes. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit d776fd807e0c9a62f428ce666ff812655f98bc47)
2013-01-12dsdb: Make linked_attributes module GUID based for renamesAndrew Bartlett1-13/+64
This ensures that when we have the backlink out of sync with the forward link (perhaps due to another operation that has put the backlink handling in an end-of-transaction TODO list in repl_meta_data) that we do not error out, we just cope as well as we can. The GUID is the unique identifier, not the DN. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Sat Jan 12 12:52:28 CET 2013 on sn-devel-104
2013-01-10dsdb-acl: give error string if we can not obtain the schemaAndrew Bartlett1-2/+3
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-01-01s4:dsdb/repl_meta_data: don't merge highwatermark and uptodatevector (bug #9508)Stefan Metzmacher1-38/+1
We should not do any magic regarding the highwatermark we got from the source dsa. We need to treat it as opaque and not try to be smart and merge it into the uptodatevector. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-01s4:dsdb/repl_meta_data: also update the last_sync_success in replUpToDateVectorStefan Metzmacher1-5/+1
This matches Windows 2008R2 and Windows 2012. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-01s4:dsdb/repl_meta_data: store the last results and timestamps in the repsFromStefan Metzmacher1-0/+3
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-01s4:dsdb/repl_meta_data: always treat the highwatermark as opaque (bug #9508)Stefan Metzmacher1-1/+0
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-12-11s4:dsdb/password_hash: do the min password age checks firstMichael Adam1-11/+13
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Michael Adam <obnox@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-12-11s4:dsdb/password_hash: Honor password complexity settings.Stefan Metzmacher1-5/+0
Honor password complexity settings when creating new users. Without this patch, you could set simple passwords although the complexity settings were enabled. This was an issue with 'samba-tool user add' and also when adding new users via Windows' "Active Directory Users and Computers" MMC Snap-In. The following scenarios were tested successfully after applying the patch: -'samba-tool user add' against s4 -'samba-tool user add -H' against a Windows DC -Adding a new user on a s4 DC using Windows' "Active Directory Users and Computers" MMC Snap-In. Please note that this bug was caused by a mistake in the documentation. Fix bug #9414 - 'samba-tool user add' ignores password complexity settings. Pair-programmed-with: Karolin Seeger <kseeger@samba.org> Pair-Programmed-With: Michael Adam <obnox@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Michael Adam <obnox@samba.org>
2012-12-11Revert "s4:dsdb/password_hash: Honor password complexity settings."Stefan Metzmacher1-7/+1
This reverts commit f8056b7a6998e002f473b0ad79eee046236a7032. A better fix will follow. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-11s4:dsdb/descriptor: pass object_list to create_security_descriptor()Stefan Metzmacher1-2/+13
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-10s4:dsdb/operational: fix stripping of the nTSecurityDescriptor attributeStefan Metzmacher1-2/+12
If the sd_flags control is specified, we should return nTSecurityDescriptor only if the client asked for all attributes. If there's a list of only explicit attribute names, we should ignore the sd_flags control. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-10s4:dsdb/acl_read: return the nTSecurityDescriptor attr if the sd_flags ↵Stefan Metzmacher1-2/+9
control is given (bug #9470) Not returning the nTSecurityDescriptor causes a lot of problems. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-10s4:dsdb/acl_read: give some variables a better nameStefan Metzmacher1-10/+13
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-10s4:dsdb/acl_read: fix the calculation of the attribute array for the sub searchStefan Metzmacher1-14/+19
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-10s4:dsdb/acl_read: check the ldb_attr_list_copy_add() resultStefan Metzmacher1-0/+12
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-10s4:dsdb/dirsync: fix potential talloc hierachy problems (bug #9470)Stefan Metzmacher1-3/+3
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-07s4:dsdb/descriptor: fix replication of NC headsStefan Metzmacher1-2/+2
The sub NC heads maybe replicated with the parent partition, if we don't need to recalculate the nTSecurityDescriptor attribute in that case, the replication of the of the sub partition should handle that. This fixes error messages like this: descriptor_sd_propagation_recursive: DC=ForestDnsZones,DC=s40dom,DC=base not found under DC=s40dom,DC=base Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-07s4:dsdb/acl_read: improve debugging for fatal errorStefan Metzmacher1-3/+18
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-07s4:dsdb/acl_read: keep the ldb_message of the sub search (bug #9470)Stefan Metzmacher1-0/+5
Some modules might not allocate values on the correct memory context. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-07s4:dsdb/schema_data.c: correctly move the CN=Aggregate attributes to ↵Stefan Metzmacher1-6/+18
msg->elements[i].values (bug #9470) We should keep the talloc hierarchy sane. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-12-06s4:dsdb/password_hash: Honor password complexity settings.Stefan Metzmacher1-1/+7
Honor password complexity settings when creating new users. Without this patch, you could set simple passwords although the complexity settings were enabled. This was an issue with 'samba-tool user add' and also when adding new users via Windows' "Active Directory Users and Computers" MMC Snap-In. The following scenarios were tested successfully after applying the patch: -'samba-tool user add' against s4 -'samba-tool user add -H' against a Windows DC -Adding a new user on a s4 DC using Windows' "Active Directory Users and Computers" MMC Snap-In. Please note that this bug was caused by a mistake in the documentation. Fix bug #9414 - 'samba-tool user add' ignores password complexity settings. Pair-programmed-with: Karolin Seeger <kseeger@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Karolin Seeger <kseeger@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Dec 6 05:11:43 CET 2012 on sn-devel-104
2012-12-02s4:dsdb/descriptor: NULL out user_descriptor elements depending on the sd_flagsStefan Metzmacher1-0/+44
A client can send a full security_descriptor while just passing sd_flags of SECINFO_DACL. We need to NULL out elements which will be ignored depending on the sd_flags and may set the old owner/group sids. Otherwise the calculation of the DACL/SACL can replace CREATOR_OWNER with the wrong sid. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/repl_meta_data: call dsdb_module_schedule_sd_propagation() for ↵Stefan Metzmacher1-2/+70
replicated changes We only do so if the replicated object is not deleted. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: inherit nTSecurityDescriptor changes to children (bug #8621)Stefan Metzmacher1-3/+17
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: recalculate nTSecurityDescriptor after a rename (bug #8621)Stefan Metzmacher1-1/+18
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl_util: add dsdb_module_schedule_sd_propagation()Stefan Metzmacher1-0/+29
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>