summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb/samdb.c
AgeCommit message (Collapse)AuthorFilesLines
2010-09-26s4-auth: fixed the SID list for DCs in the PACAndrew Tridgell1-10/+0
the S-1-5-9 SID is added in the PAC by the KDC, not on the server that receives the PAC Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104
2010-09-11libcli/security Use talloc_zero when making a struct security_tokenAndrew Bartlett1-2/+0
2010-08-23s4:security Change struct security_token->sids from struct dom_sid * to ↵Andrew Bartlett1-25/+22
struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett
2010-08-18s4:auth Change {anonymous,system}_session to use common session_info generationAndrew Bartlett1-2/+4
This also changes the primary group for anonymous to be the anonymous SID, and adds code to detect and ignore this when constructing the token. Andrew Bartlett
2010-08-18s4:security Remove use of user_sid and group_sid from struct security_tokenAndrew Bartlett1-4/+2
This makes the structure more like Samba3's NT_USER_TOKEN
2010-07-16s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell1-4/+4
this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-05-20s4:auth Change auth_generate_session_info to take flagsAndrew Bartlett1-15/+46
This allows us to control what groups should be added in what use cases, and in particular to more carefully control the introduction of the 'authenticated' group. In particular, in the 'service_named_pipe' protocol, we do not have control over the addition of the authenticated users group, so we key of 'is this user the anonymous SID'. This also takes more care to allocate the right length ptoken->sids Andrew Bartlett
2010-05-20s4:auth Move BUILTIN group addition into session.cAndrew Bartlett1-2/+9
The group list in the PAC does not include 'enterprise DCs' and BUILTIN groups, so we should generate it on each server, not in the list we pass around in the PAC or SamLogon reply. Andrew Bartlett
2010-03-03s4:samdb.c - Make it signed-safeMatthias Dieter Wallnöfer1-2/+2
Use an unsigned argument for the numbers of groups and the counter "i" since the function is called only by "auth_generate_session_info" with an unsigned number of groups argument.
2010-02-20s4:credentials Add hooks to extract a named Kerberos credentials cacheAndrew Bartlett1-1/+3
This allows the integration of external tools that can't be linked into C or python, but need to authenticate as the local machine account. The machineaccountccache script demonstrates this, and debugging has been improved in cli_credentials_set_secrets() by passing back and error string. Andrew Bartlett
2009-11-02Remove special case logic in 'samdb_relative_path'.Andrew Bartlett1-3/+0
While this logic (avoiding to prefix a non-filename with a path) is important in the code this was copied from (private_dir()), none of the callers of this function need it. Andrew Bartlett
2009-10-27s4-dsdb: call dsdb_make_schema_global() from ldb_wrapAndrew Tridgell1-1/+0
Calling it from samdb_connect() can cause a stale schema to be put into the global schema. Thanks to Andrew Bartlett for spotting this.
2009-10-23s4-samdb: make sure the static credentials are never freedAndrew Tridgell1-0/+9
2009-10-23s4-dsdb: add a static samdb_credentialsAndrew Tridgell1-5/+17
Similarly to system_session(), this creates a static samdb_credentials()
2009-10-21s4:dsdb Make the 'relative path' code in partitions handle tdb://Andrew Bartlett1-0/+3
The previous code would fail if the caller used tdb:// in the URL for the top-level database. Andrew Bartlett
2009-09-07s4:templates - Remove the latest relics (in "dcesrv_lsa_CreateSecret")Matthias Dieter Wallnöfer1-104/+0
2009-07-13libds: share UF_ flags between samba3 and 4.Günther Deschner1-1/+1
Guenther
2009-06-29SAMDB: Don't check for "sAMAccountName" twiceMatthias Dieter Wallnöfer1-1/+0
2008-12-29s4:lib/tevent: rename structsStefan Metzmacher1-4/+4
list="" list="$list event_context:tevent_context" list="$list fd_event:tevent_fd" list="$list timed_event:tevent_timer" for s in $list; do o=`echo $s | cut -d ':' -f1` n=`echo $s | cut -d ':' -f2` r=`git grep "struct $o" |cut -d ':' -f1 |sort -u` files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4` for f in $files; do cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp mv $f.tmp $f done done metze
2008-10-11Fix include paths to new location of libutil.Jelmer Vernooij1-1/+1
2008-09-23Merge ldb_search() and ldb_search_exp_fmt() into a simgle function.Simo Sorce1-1/+1
The previous ldb_search() interface made it way too easy to leak results, and being able to use a printf-like expression turns to be really useful.
2008-07-15Use secrets.ldb to store credentials to contact LDAP backend.Andrew Bartlett1-1/+26
This makes Samba4 behave much like Samba3 did, and use a single set of administrative credentials for it's connection to LDAP. Andrew Bartlett (This used to be commit e396a59788d77aa2fbf3b523c3773fe0e5c976c0)
2008-06-14Use a custom init function for samba4 that sets a samba4Simo Sorce1-1/+1
specific debug function. By default do not debug, this is the most appropriate action for a library as we cannot assume what stderr is use for in the main app. The main app is responsible to set ev_debug_stderr if they so desire. (This used to be commit e566a2f308ac6fb4b526a744f7059b565670aea5)
2008-06-14Make up the right dependencies now that ldb depends on libeventsSimo Sorce1-1/+2
(This used to be commit 3b8eec7ca334528cad3cdcd5e3fc5ee555d8d0e0)
2008-04-21Make sure we have an event context availableSimo Sorce1-0/+7
(This used to be commit b7c96e0cc270bd3b1c9bd117a22df3f657b6acd5)
2008-04-17Specify event_context to ldb_wrap_connect explicitly.Jelmer Vernooij1-3/+10
(This used to be commit b4e1ae07a284c044704322446c94351c2decff91)
2008-02-09Give a more useful error when the templates.ldb can't be found.Andrew Bartlett1-2/+4
Andrew Bartlett (This used to be commit 26108eb66b4b5d4b339dfc845e8a018190068e81)
2008-01-11Remove 'dn' from mapping, it isn't a valid attribute in AD, and causesAndrew Bartlett1-1/+1
problems with ldap.js test with OpenLDAP as the backend. Likewise, remove it from the template lookup (for consistancy). TODO: see if it can be removed from ldb Andrew Bartlett (This used to be commit 47a1b76f7fff30229d3f23c6723f047923faf196)
2007-12-21r26483: Merge ldb module dependency fixes, fix auth python module.Jelmer Vernooij1-1859/+0
(This used to be commit 85eeecf997a071ca7e7ad0247e8d34d49b7ffcbb)
2007-12-21r26319: Split encoding functions out of libcli_ldap.Jelmer Vernooij1-1/+1
(This used to be commit 95a6ef7fc8757ccfd90dbf0d6c9b5098f10b10b6)
2007-12-21r26298: Use metze's schema loading code to pre-initialise the schema into theAndrew Bartlett1-0/+37
samdb before we start writing entries into it. In doing so, I realised we still used 'dnsDomain', which is not part of the standard schema (now removed). We also set the 'wrong' side of the linked attributes for the masteredBy on each partition - this is now set in provision_self_join and backlinks via the linked attributes code. When we have the schema loaded, we must also have a valid domain SID loaded, so that the objectclass module works. This required some ejs glue. Andrew Bartlett (This used to be commit b0de08916e8cb59ce6a2ea94bbc9ac0679830ac1)
2007-12-21r26235: Avoid global_loadparm.Jelmer Vernooij1-1/+1
(This used to be commit e9039782204389cc827e76da319d5ccf6d33be46)
2007-12-21r26229: Set loadparm context as opaque pointer in ldb, remove more uses of ↵Jelmer Vernooij1-1/+2
global_loadparm. (This used to be commit 37d05fdc7b0e6b3211ba6ae56b1b5da30a6a392a)
2007-12-21r26227: Make loadparm_context part of a server task, move loadparm_contexts ↵Jelmer Vernooij1-2/+3
further up the call stack. (This used to be commit 0721a07aada6a1fae6dcbd610b8783df57d7bbad)
2007-12-21r26135: Remove samdb_add(), samdb_delete() and samdb_modify(), which were justAndrew Bartlett1-26/+2
wrappers to ldb_add() etc. samdb_replace() remains, as it sets flags on all entries as 'replace'. Andrew Bartlett (This used to be commit 09c0faa5b7e1a560bf13b99a2584012a47377bb6)
2007-12-21r26003: Split up DB_WRAP, as first step in an attempt to sanitize dependencies.Jelmer Vernooij1-1/+2
(This used to be commit 56dfcb4f2f8e74c9d8b2fe3a0df043781188a555)
2007-12-21r25949: Make error messages clearer and more correct.Andrew Bartlett1-4/+5
Andrew Bartlett (This used to be commit f0a0d73f768434cb474b311d7c366d1f2a06c8f4)
2007-12-21r25940: Rework the samldb and templates handling.Andrew Bartlett1-10/+77
Templates just don't belong in the sam.ldb, as they don't obey any of the other rules. This moves them to a seperate templates.ldb. In samldb, this patch reworks the duplicate SID and Name detection code, to use ldb_search_exp_fmt() rather than gendb_search. This returns far more useful errors, which we now handle and report better. The call to samdb_search_for_parent_domain() has been moved in samldb, to allow both the account and SID uniqueness checks to be in the same domain. This function also returns better errors. dcesrv_drsuapi.c is updated for the new prototype of samdb_search_for_parent_domain() Andrew Bartlett (This used to be commit f1ab90c88c782c693b41795d70368650806543b5)
2007-12-21r25920: ndr: change NTSTAUS into enum ndr_err_code (samba4 callers)Stefan Metzmacher1-12/+13
lib/messaging/ lib/registry/ lib/ldb-samba/ librpc/rpc/ auth/auth_winbind.c auth/gensec/ auth/kerberos/ dsdb/repl/ dsdb/samdb/ dsdb/schema/ torture/ cluster/ctdb/ kdc/ ntvfs/ipc/ torture/rap/ ntvfs/ utils/getntacl.c ntptr/ smb_server/ libcli/wrepl/ wrepl_server/ libcli/cldap/ libcli/dgram/ libcli/ldap/ libcli/raw/ libcli/nbt/ libnet/ winbind/ rpc_server/ metze (This used to be commit 6223c7fddc972687eb577e04fc1c8e0604c35435)
2007-10-10r25553: Convert to standard bool type.Jelmer Vernooij1-11/+11
(This used to be commit b7371f1a191fb86834c0d586d094f39f0b04544b)
2007-10-10r25446: Merge some changes I made on the way home from SFO:Jelmer Vernooij1-1/+2
2007-09-29 More higher-level passing around of lp_ctx. 2007-09-29 Fix warning. 2007-09-29 Pass loadparm contexts on a higher level. 2007-09-29 Avoid using global loadparm context. (This used to be commit 3468952e771ab31f90b6c374ade01c5550810f42)
2007-10-10r25398: Parse loadparm context to all lp_*() functions.Jelmer Vernooij1-1/+1
(This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238)
2007-10-10r25268: Thanks to Andrew Kroeger for pointing out on IRC that this isAndrew Bartlett1-4/+0
compleatly dead code. Andrew Bartlett (This used to be commit 5838aca79b11fd8a94567a04c1c1a99bc4343547)
2007-10-10r25026: Move param/param.h out of includes.hJelmer Vernooij1-0/+1
(This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31)
2007-10-10r25000: Fix some more C++ compatibility warnings.Jelmer Vernooij1-6/+7
(This used to be commit 08bb1ef643ab906f1645cf6f32763dc73b1884e4)
2007-10-10r24986: LDB has a function for comparing things that must meet the rules ofAndrew Bartlett1-1/+1
attribute names. Andrew Bartlett (This used to be commit 46e387580622bd6d5d621399e08c5d5003c91bbf)
2007-10-10r24941: Simplify samdb_result_nttime(), and remove nttime_from_string()Andrew Bartlett1-3/+1
Andrew Bartlett (This used to be commit bcd994a139e2e8fb2e97c8b897c987ff234e0b0a)
2007-10-10r24918: Fix the build (forgot to include dcesrv_lsa.c in the previous commit)Andrew Bartlett1-2/+4
and improve error strings returned from samdb.c Andrew Bartlett (This used to be commit a42d0eb531e663304bea840d614b2f91f95dd818)
2007-10-10r24914: In response to bug #4892 by Matthias Wallnöfer <mwallnoefer@yahoo.de>,Andrew Bartlett1-34/+21
allow the objectclass module to reconstruct the objectclass hierarchy, rather than using templates. The issue being fixed in particular is that 'top' was not being set on containers. This should ensure we do this right for all objects. Andrew Bartlett (This used to be commit d17a0058ba8492b8b3f81b6f10fc34b3e45bb8a6)
2007-10-10r24611: Following up on the re-opening of bug 4817 is it pretty clear thatAndrew Bartlett1-5/+11
machine accounts are not subject to password policy in Win2k3 R2 (at least in terms of password quality). In testing this, I found that Win2k3 R2 has changed the way the old ChangePassword RPC call is handled - the 'cross-checks' between new LM and NT passwords are not required. Andrew Bartlett (This used to be commit 417ea885b41cc097a0bb3a10ffbffb31f234f25d)