Age | Commit message (Collapse) | Author | Files | Lines |
|
If this right is granted to a user, they may modify the SPN of an object with some value restrictions
serviceName can be set only if the object is a DC, and then only to the default domain and netbios name, or ntds_guid._msdsc_.forest_domain. If the serviceType is GC, only to the forest root domain. If the serviceType is ldap, then to forest_domain or netbiosname.
InstanceType can be samAccountName or dnsHostName.
|
|
We now just do or do not call into LDB based on some flags.
This means there may be some more link time dependencies, but we seem
to deal with those better now.
Andrew Bartlett
|
|
This reverts a previous move to have this based around the auth
subsystem, which just spread auth deps all over unrelated code.
Andrew Bartlett
|
|
These local TDB operations can quite safely be handled in a new/nested
event context, rather than using the main event context.
Andrew Bartlett
|
|
This reverts commit 25163380239abbad28f1656c42e6fab1b92473d9 because
further analyis showed the real problem was introduced in 0941099a
(which changed the caller behaviour, but only for indexed searches).
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sat Dec 18 02:19:59 CET 2010 on sn-devel-104
|
|
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Dec 18 01:33:24 CET 2010 on sn-devel-104
|
|
|
|
We need to make LDB consistent here (indexed vs unindexed behaviour
differs here!), but for the moment this is the easiest way out of a
segfault.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec 16 06:42:56 CET 2010 on sn-devel-104
|
|
|
|
used
Make it much harder to import bad data into the password attributes.
This isn't 100% safe, but much better than no checks.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Dec 13 16:17:36 CET 2010 on sn-devel-104
|
|
metze
|
|
one using this result message.
No need to reference as no one further up the stack uses the result, it is the result of a secondary request sent by aclread.
As a result from code review by Kamen Mazdrashki and Anatoliy Atanasov
Autobuild-User: Nadezhda Ivanova <nivanova@samba.org>
Autobuild-Date: Wed Dec 8 15:01:51 CET 2010 on sn-devel-104
|
|
Instead of using ldb_msg_remove_attr, now we are flagging the attributes to be removed,
and allocating the new elements array to be returned at once. This seems to decrease the
overhead by 50 percent.
Autobuild-User: Nadezhda Ivanova <nivanova@samba.org>
Autobuild-Date: Wed Dec 8 12:00:27 CET 2010 on sn-devel-104
|
|
|
|
Autobuild-User: Nadezhda Ivanova <nivanova@samba.org>
Autobuild-Date: Mon Dec 6 16:48:35 CET 2010 on sn-devel-104
|
|
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Mon Dec 6 15:11:44 CET 2010 on sn-devel-104
|
|
Modified the aclread module to now insert the attributes needed to perform access checks in the same request,
instead of doind a separate search per entry. Also, instanceType is now used to determine id the object has a parent
instead of parentGUID, which saves one additional search in operational.
Autobuild-User: Nadezhda Ivanova <nivanova@samba.org>
Autobuild-Date: Mon Dec 6 13:50:19 CET 2010 on sn-devel-104
|
|
The aclread needs to be belod descriptor, as it needs to have the full nTsecurityDescriptor to make the
checks, and the descriptor module may filter out parts of it if SD_FLAGS_CONTROL is provided.
|
|
|
|
Schema cache
Same error message is printed by linked_attributes.c module
and it was really hard to tell where the error occurred
Autobuild-User: Kamen Mazdrashki <kamenim@samba.org>
Autobuild-Date: Mon Dec 6 00:05:59 CET 2010 on sn-devel-104
|
|
We have exact same error messages at different locations
and it is little bit hard to tell where the error came from
from the log.
|
|
|
|
If *schema is NULL, then dsdb_schema_from_ldb_results()
call should have failed
|
|
|
|
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Dec 4 17:26:39 CET 2010 on sn-devel-104
|
|
|
|
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Thu Dec 2 12:35:03 CET 2010 on sn-devel-104
|
|
This seems to have been broken some time ago - till someone on the
mailing list noticed it.
I've also added a testsuite (and some additional SamDB python helpers) which
should prove this.
|
|
|
|
"el->values" could under some circumstances be NULL (see "if" above).
|
|
Pair-Programmed-With: Zahari Zahariev <zahari.zahariev@postpath.com>
Autobuild-User: Kamen Mazdrashki <kamenim@samba.org>
Autobuild-Date: Wed Dec 1 11:45:48 CET 2010 on sn-devel-104
|
|
|
|
|
|
Tru64
|
|
specifications
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Nov 27 16:03:43 CET 2010 on sn-devel-104
|
|
Here we can print it out as unsigned since we are generating a string
attribute.
|
|
And remove the "long" specifier since at least on the major platforms
(Linux, BSD and Solaris) these types are defined as "uint32_t".
|
|
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Nov 26 13:58:27 CET 2010 on sn-devel-104
|
|
|
|
It's only needed if we've a schema around.
|
|
This arranged the check to avoid talloc_strdup() (the schema pointers
are constant, and can be relied upon), and checks the untrusted bit
first (it is faster), before the ldb_attr_cmp().
The strcmp() here was valid, if unusual, because the ldapDisplayName
values are already in the correct case, but strcasecmp() is more
correct, as for the small extra cost, we avoid a difficult to diagnose
bug later.
Andrew Bartlett
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
|
|
This makes it clearer what the local variable in use here does.
Andrew Bartlett
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
|
|
The rootdse module handles rootDSE requests, and blocks anonymous
access, so we on't need to do it again here.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Nov 26 00:36:19 CET 2010 on sn-devel-104
|
|
This ensures that one single point checks for and blocks anonymous
read access to the database over LDAP.
Andrew Bartlett
|
|
A function that does not return memory should not take a memory context.
Andrew Bartlett
|
|
domain objects
Tridge pointed out that it is to dangerous to allow them to be created
with SYSTEM permissions. The solution using the "untrusted" flag should
be much more viable.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Thu Nov 25 13:05:56 CET 2010 on sn-devel-104
|
|
is specified
This fits better than the RELAX one.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Wed Nov 24 18:23:01 CET 2010 on sn-devel-104
|
|
loop"
This denies objects created from possible derivated classes from the prohibited
ones.
Also small cosmetic improvements for another check.
|
|
changes
Sometimes "ldb_module_oom" fits better than "ldb_operr" or "ldb_oom".
|
|
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Nov 20 22:32:06 CET 2010 on sn-devel-104
|