summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb/samdb.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r18636: Excessive testing with pam_winbind within Samba3 revealed a new samrGünther Deschner1-4/+4
reject reason code while password changing: SAMR_REJECT_IN_HISTORY which is different from SAMR_REJECT_COMPLEXITY. torture test to follow as well. Guenther (This used to be commit 7513748208214339e764cc990aa1dbbcf864975a)
2007-10-10r17930: Merge noinclude branch:Jelmer Vernooij1-1/+1
* Move dlinklist.h, smb.h to subsystem-specific directories * Clean up ads.h and move what is left of it to dsdb/ (only place where it's used) (This used to be commit f7afa1cb77f3cfa7020b57de12e6003db7cfcc42)
2007-10-10r17830: Set the default_basedn (hey, it comes from the "default" naming ↵Simo Sorce1-1/+1
contex :-) once at connection time, after modules have been loaded. Introduce a function to retrieve the value where needed. (This used to be commit 0caf6a44e03393c645030a9288e7dfd31e97c98b)
2007-10-10r17824: add a wrapper for the common partitions_basedn calculationAndrew Tridgell1-30/+9
(This used to be commit 09007b0907662a0d147e8eb21d5bdfc90dbffefc)
2007-10-10r17823: get rid of most of the samdb_base_dn() calls, as they are no longerAndrew Tridgell1-4/+4
needed in searches (This used to be commit a5ea749f0ac63bf495a55ee8d9d002208ab93572)
2007-10-10r17788: fix compiler warningsStefan Metzmacher1-1/+1
metze (This used to be commit 00fcc4f16a01a0c6a70f86c8bd9d1f9801dfd9df)
2007-10-10r17639: Martin Kuhl noticed that we loaded an incorrect value forAndrew Bartlett1-0/+2
distinguisedName on templated objects. In looking how to handle distinguishedName correctly on LDAP, I was very glad to find it supported entryDN, and this adds another mapping. Andrew Bartlett (This used to be commit 3b5c973988648a2b2a5e1885ee894607e4d9679b)
2007-10-10r17530: Watching the build farm mails carefully pays off...Andrew Bartlett1-3/+2
This was another declaration before statement bug, in my just-committed code.. Andrew Bartlett (This used to be commit 1d1bf6b20512653c1de7920388f16fbef936ed47)
2007-10-10r17529: Simo doesn't like the use of the internal ldb_errstring in functionsAndrew Bartlett1-5/+9
not used purely as ldb module helper functions. This now passes these strings back as explicit parameters. Andrew Bartlett (This used to be commit 9c1cd9c2c6bcd9d056a7c9caafacdd573562ebbc)
2007-10-10r17516: Change helper function names to make more clear what they are meant ↵Simo Sorce1-7/+7
to do (This used to be commit ad75cf869550af66119d0293503024d41d834e02)
2007-10-10r17513: ldb_set_errstring is an ldb private string, samdb uses DEBUG() ↵Simo Sorce1-4/+3
statements (This used to be commit c57b6420aa4a220257df714aaccb016acb4bae24)
2007-10-10r16827: Factor out some code into common samdb functions:Andrew Bartlett1-27/+155
- creation of ForeignSecurityPrincipals - template duplication code Rework much of the LSA server to pass the RPC-LSA test. Much of the server code was untested. In implementing the LSA Accounts feature, I have opted to have it only create entires when privilages are applied, and not to delete entries, but to delete the privilages. We skip some parts of the test, but it is much better than not testing it at all. Andrew Bartlett (This used to be commit 10eeea6da465564ed9f785d06e2d2ed06cfe29a4)
2007-10-10r16771: Add const and some better debug messages.Andrew Bartlett1-7/+13
Andrew Bartlett (This used to be commit 87cac3529ca4f114a93adb5b307766e681c49a1d)
2007-10-10r16264: Add, but do not yet enable, the partitions module.Andrew Bartlett1-4/+5
This required changes to the rootDSE module, to allow registration of partitions. In doing so I renamed the 'register' operation to 'register_control' and 'register_partition', which changed a few more modules. Due to the behaviour of certain LDAP servers, we create the baseDN entry in two parts: Firstly, we allow the admin to export a simple LDIF file to add to their server. Then we perform a modify to add the remaining attributes. To delete all users in partitions, we must now search and delete all objects in the partition, rather than a simple search from the root. Against LDAP, this might not delete all objects, so we allow this to fail. In testing, we found that the 'Domain Controllers' container was misnamed, and should be 'CN=', rather than 'OU='. To avoid the Templates being found in default searches, they have been moved to CN=Templates from CN=Templates,${BASEDN}. Andrew Bartlett (This used to be commit b49a4fbb57f10726bd288fdc9fc95c0cbbe9094a)
2007-10-10r16125: Add another helpful utility function: samdb_msg_add_int()Andrew Bartlett1-0/+10
Andrew Bartlett (This used to be commit 2fe9de8105843776b8ef41ef6f9a6cea5cb188ff)
2007-10-10r15725: First shot at making password_hash asyncSimo Sorce1-1/+1
The async path is not yet enabled by default so it should make no harm (This used to be commit b7d5f2325726757a4fcd0b5ac03de1b867085a89)
2007-10-10r15297: Move create_security_token() to samdb as it requires SAMDB (and the ↵Jelmer Vernooij1-0/+76
rest of LIBSECURITY doesn't) Make the ldb password_hash module only depend on some keys manipulation code, not full heimdal Some other dependency fixes (This used to be commit 5b3ab728edfc9cdd9eee16ad0fe6dfd4b5ced630)
2007-10-10r14860: create libcli/security/security.hStefan Metzmacher1-1/+1
metze (This used to be commit 9ec706238c173992dc938d537bdf1103bf519dbf)
2007-10-10r14570: Move some functions also they are also used from kpasswdJelmer Vernooij1-0/+317
(This used to be commit 89dfb74894c809d69eab05bdb6d5fe4012153808)
2007-10-10r14464: Don't include ndr_BASENAME.h files unless strictly required, insteadJelmer Vernooij1-0/+1
try to include just the BASENAME.h files (containing only structs) (This used to be commit 3dd477ca5147f28a962b8437e2611a8222d706bd)
2007-10-10r13924: Split more prototypes out of include/proto.h + initial work on headerJelmer Vernooij1-0/+1
file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781)
2007-10-10r13910: Fix the 'your password has expired' on every login. We now considerAndrew Bartlett1-3/+8
if the 'password does not expire' flag has been set, filling in the PAC and netlogon reply correctly if so. Andrew Bartlett (This used to be commit c530ab5dc6865c422382bc0afa7a86f7ec1acdf2)
2007-10-10r12599: This new LDB module (and associated changes) allows Samba4 to operateAndrew Bartlett1-63/+25
using pre-calculated passwords for all kerberos key types. (Previously we could only use these for the NT# type). The module handles all of the hash/string2key tasks for all parts of Samba, which was previously in the rpc_server/samr/samr_password.c code. We also update the msDS-KeyVersionNumber, and the password history. This new module can be called at provision time, which ensures we start with a database that is consistent in this respect. By ensuring that the krb5key attribute is the only one we need to retrieve, this also simplifies the run-time KDC logic. (Each value of the multi-valued attribute is encoded as a 'Key' in ASN.1, using the definition from Heimdal's HDB. This simplfies the KDC code.). It is hoped that this will speed up the KDC enough that it can again operate under valgrind. (This used to be commit e9022743210b59f19f370d772e532e0f08bfebd9)
2007-10-10r12542: Move some more prototypes out to seperate headersJelmer Vernooij1-0/+1
(This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2)
2007-10-10r12227: I realised that I wasn't yet seeing authenticated LDAP for the ldbAndrew Bartlett1-3/+5
backend. The idea is that every time we open an LDB, we can provide a session_info and/or credentials. This would allow any ldb to be remote to LDAP. We should also support provisioning to a authenticated ldap server. (They are separate so we can say authenticate as foo for remote, but here we just want a token of SYSTEM). Andrew Bartlett (This used to be commit ae2f3a64ee0b07575624120db45299c65204210b)
2007-10-10r12161: Fix a memleak and do the -O1 janitor :-)Volker Lendecke1-1/+6
(This used to be commit 82d87d62614a33ec9d2ed20e63d80a7af64e8678)
2007-10-10r12156: added samdb_domain_sid(), a routine to get the domain sid by lookingAndrew Tridgell1-0/+66
up the rootDomainNamingContext in the rootdse, then getting the objectsid from the root of the domain (This used to be commit 152590101e64ec260304e4b34cb1e2ef64333a02)
2007-10-10r11967: Fix more 64-bit warnings.Tim Potter1-2/+2
(This used to be commit 9c4436a124f874ae240feaf590141d48c33a635f)
2007-10-10r10914: moved the ldap time string functions into ldb so they can be used byAndrew Tridgell1-13/+0
the time attribute handling functions (This used to be commit 93c296d52718e77f8b702e1721b548eaadc56c76)
2007-10-10r10913: This patch isn't as big as it looks ...Andrew Tridgell1-10/+10
most of the changes are fixes to make all the ldb code compile without warnings on gcc4. Unfortunately That required a lot of casts :-( I have also added the start of an 'operational' module, which will replace the timestamp module, plus add support for some other operational attributes In ldb_msg_*() I added some new utility functions to make the operational module sane, and remove the 'ldb' argument from the ldb_msg_add_*() functions. That argument was only needed back in the early days of ldb when we didn't use the hierarchical talloc and thus needed a place to get the allocation function from. Now its just a pain to pass around everywhere. Also added a ldb_debug_set() function that calls ldb_debug() plus sets the result using ldb_set_errstring(). That saves on some awkward coding in a few places. (This used to be commit f6818daecca95760c12f79fd307770cbe3346f57)
2007-10-10r10894: make the handling of dn/distinguishedName much closer to realAndrew Tridgell1-4/+2
ldap. Also ensure we put a objectclass on our private ldb's, so they have some chance of being stored in ldap if you want to (This used to be commit 1af2cc067f70f6654d08387fc28def67229bb06a)
2007-10-10r10810: This adds the hooks required to communicate the current user from theAndrew Bartlett1-2/+7
authenticated session down into LDB. This associates a session info structure with the open LDB, allowing a future ldb_ntacl module to allow/deny operations on that basis. Along the way, I cleaned up a few things, and added new helper functions to assist. In particular the LSA pipe uses simpler queries for some of the setup. In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't been worked on (other than making it continue to compile) since January, and I think the features of this module are being put into ldb anyway. I have also changed the partitions in ldap_server to be initialised after the connection, with the private pointer used to associate the ldb with the incoming session. Andrew Bartlett (This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71)
2007-10-10r9930: Use a single samdb_base_dn() function rather than lots of sillyAndrew Bartlett1-0/+34
searches all over the place. This can be extended to cover an NT4 (no ADS) mode in future as well. Andrew Bartlett (This used to be commit 0761b22f99a128bd9634a191adc88b0e30982a3a)
2007-10-10r9654: introduce the samdb_search_dn callSimo Sorce1-0/+22
(This used to be commit 333ebb40d55c60465564b894d5028b364e99ee00)
2007-10-10r9391: Convert all the code to use struct ldb_dn to ohandle ldap like ↵Simo Sorce1-13/+21
distinguished names Provide more functions to handle DNs in this form (This used to be commit 692e35b7797e39533dd2a1c4b63d9da30f1eb5ba)
2007-10-10r9385: Remove unused functionsSimo Sorce1-97/+0
(This used to be commit fac8ff623778250acd830f358fcd34b85f7983b6)
2007-10-10r9208: fix a crash bugStefan Metzmacher1-2/+3
metze (This used to be commit f8a25ac2397d50359f4903618832da7886d91d6f)
2007-10-10r8810: Fix missing headers. Still doesn't fix the build but getting closer ↵Rafal Szczesniak1-0/+1
there. rafal (This used to be commit bc638cc3d66525cf91ef76eb0c486542fff2b929)
2007-10-10r8715: - revert the %PRIi64 stuff. Tim, we explicitly check for %llu supportAndrew Tridgell1-7/+17
in configure, and replace snprintf if the system doesn't support it. Our replacement code does not handle the "%PRIi64" stuff, so using it would break us on lots of platforms - fixed constant array initialisers to work on HPUX. (This used to be commit c6bae3e87e2dcb3a89bbb32da131627c60871e3d)
2007-10-10r8714: Oops - get it right this time!Tim Potter1-2/+2
(This used to be commit 1d2b708da657a3f3c81bb60600f66bc359c2eab7)
2007-10-10r8713: Experiment to try and fix warnings on 64-bit machines without breakingTim Potter1-2/+2
32-bit ones. Yes, this weird looking macros are part of C99. (This used to be commit 7b316f119b8486b75ebe63b185c50fab82313e58)
2007-10-10r8669: The objectguid module belongs in Samba's ldb module collection, not inAndrew Bartlett1-14/+0
ldb, as it can't build without the NDR and GUID code. Also make it properly use the NDR encoding for the GUID (I forgot last time, and used a string), as well as set the dependencies on the module correctly. Andrew Bartlett (This used to be commit 8054abc76e5e3588cebc7fc01062a1223b7f140b)
2007-10-10r8520: fixed a pile of warnings from the build farm gcc -Wall output onAndrew Tridgell1-3/+4
S390. This is an attempt to avoid the panic we're seeing in the automatic builds. The main fixes are: - assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats - use of NULL format statements to perform dn searches. - assumption that sizeof() returns an int (This used to be commit a58ea6b3854973b694d2b1e22323ed7eb00e3a3f)
2007-10-10r8224: - add objectGUID ldif_handlerStefan Metzmacher1-17/+25
- fix some compiler warnings metze (This used to be commit e6c39241bf93336d4c94c43f9d8beb69018fb74a)
2007-10-10r7860: switch our ldb storage format to use a NDR encoded objectSid. This isAndrew Tridgell1-19/+80
quite a large change as we had lots of code that assumed that objectSid was a string in S- format. metze and simo tried to convince me to use NDR format months ago, but I didn't listen, so its fair that I have the pain of fixing all the code now :-) This builds on the ldb_register_samba_handlers() and ldif handlers code I did earlier this week. There are still three parts of this conversion I have not finished: - the ltdb index records need to use the string form of the objectSid (to keep the DNs sane). Until that it done I have disabled indexing on objectSid, which is a big performance hit, but allows us to pass all our tests while I rejig the indexing system to use a externally supplied conversion function - I haven't yet put in place the code that allows client to use the "S-xxx-yyy" form for objectSid in ldap search expressions. w2k3 supports this, presumably by looking for the "S-" prefix to determine what type of objectSid form is being used by the client. I have been working on ways to handle this, but am not happy with them yet so they aren't part of this patch - I need to change pidl to generate push functions that take a "const void *" instead of a "void*" for the data pointer. That will fix the couple of new warnings this code generates. Luckily it many places the conversion to NDR formatted records actually simplified the code, as it means we no longer need as many calls to dom_sid_parse_talloc(). In some places it got more complex, but not many. (This used to be commit d40bc2fa8ddd43560315688eebdbe98bdd02756c)
2007-10-10r7783: the whenChanged attribute is now handled by the timestamps module, andAndrew Tridgell1-3/+0
should not be handled here as well. I had to remove it from here as it was buggy anyway (it wasn't setting the modify flags, this making an invalid ldb_modify() request) (This used to be commit f267e9d5b7b40c9c8bf1aa67a00f42e2d3bb3bc5)
2007-10-10r7615: fix the build and simplify gendb_search_dnSimo Sorce1-2/+2
(This used to be commit b38bb63175ae0bdcf833c017e5fbbfc2c0769506)
2007-10-10r7582: Better way to have a fast path searching for a specific DN.Simo Sorce1-4/+4
Old way was ugly and had a bug, you couldn't add an attribute named dn or distinguishedName and search for it, tdb would change that search in a dn search. This makes it also possible to search by dn against an ldap server as the old method was not supported by ldap syntaxes. sss (This used to be commit a614466dec2484a0d39bdfae53da822cfcf80926)
2007-10-10r6470: Remove ldb_search_free() it is not needed anymore.Simo Sorce1-12/+3
Just use talloc_free() to release the memory after an ldb_search(). (This used to be commit 4f0948dab0aa5e8b6a4ce486f3668ca8dfae23db)
2007-10-10r5988: Fix the -P option (use machine account credentials) to use the Samba4Andrew Bartlett1-21/+1
secrets system, and not the old system from Samba3. This allowed the code from auth_domain to be shared - we now only lookup the secrets.ldb in lib/credentials.c. In order to link the resultant binary, samdb_search() has been moved from deep inside rpc_server into lib/gendb.c, along with the existing gendb_search_v(). The vast majority of this patch is the simple rename that followed, (Depending on the whole SAMDB for just this function seemed pointless, and brought in futher dependencies, such as smbencrypt.c). Andrew Bartlett (This used to be commit e13c671619bd290a8b3cae8555cb281a9a185ee0)