summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb
AgeCommit message (Collapse)AuthorFilesLines
2011-02-14s4-ldb_modules/util: Implement dsdb_module_find_ntdsguid_for_computer()Kamen Mazdrashki1-0/+30
as a counterpart for samdb_find_ntdsguid_for_computer() to be used in LDB modules
2011-02-14s4/ldb_modules/acl.c: Fix calculation for samAccountName string lenKamen Mazdrashki1-1/+1
2011-02-14s4-dsdb: cope with broken exchange schema with single valued backlinksAndrew Tridgell1-0/+7
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Mon Feb 14 08:45:51 CET 2011 on sn-devel-104
2011-02-14s4-dsdb: fixed problem with constrained modification of description attributeAndrew Tridgell1-44/+13
This approach just asks the tdb backend to handle the single valued constraint for us Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-13Fix typosVolker Lendecke1-1/+1
2011-02-10ldb: use #include <ldb.h> for ldbAndrew Tridgell13-28/+28
thi ensures we are using the header corresponding to the version of ldb we're linking against. Otherwise we could use the system ldb for link and the in-tree one for include Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-09s4-auth Rework auth subsystem to remove struct auth_serversupplied_infoAndrew Bartlett1-2/+2
This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-07s4-dsdb: make subtree_rename errors clearerAndrew Tridgell1-10/+10
2011-02-02s4-dsdb Fix generation of rootDSE domainControllerFunctionalityAndrew Bartlett1-1/+3
The issue here is that when the samdb calls were removed, this call relied on going back to the top of the module stack, so as to re-enter the rootDSE search handler. It makes more sense to check the @ROOTDSE record directly, and therefore not to invoke the search() handler during the init. Andrew Bartlett
2011-01-28s4-acl: Fixed returning uninitialized ldap error in case of some critical ↵Nadezhda Ivanova1-7/+10
errors. Autobuild-User: Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date: Fri Jan 28 12:04:01 CET 2011 on sn-devel-104
2011-01-25s4:dsdb/samdb/ldb_modules/objectclass.c - move LSA specific object checks ↵Matthias Dieter Wallnöfer2-32/+29
into "objectclass_attrs" LDB module LSA object classes are protected on both LDAP add and LDAP modify operations, so I've refactored the previous check in the objectclass LDB module only for LDAP adds in a new one in the objectclass_attrs LDB module for both adds and modifies. This is the result of the investigations done by Hongwei Sun and I in the last months. Interestingly these protection mechansim doesn't apply on LDAP deletes! Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-01-22s4-repl_meta_data: replmd_update_is_newer() should not return true if ↵Kamen Mazdrashki1-3/+3
metadata stamps are equal Autobuild-User: Kamen Mazdrashki <kamenim@samba.org> Autobuild-Date: Sat Jan 22 12:22:30 CET 2011 on sn-devel-104
2011-01-22s4-repl_meta_data: Print out what is wrong when we fail to modify objectKamen Mazdrashki1-0/+1
2011-01-22s4-repl_meta_data: We should not use USNs in metadata comparisonsKamen Mazdrashki1-11/+0
If object is changed by same DC, then version should be incremented
2011-01-20s4-auth Remove special case for account_sid from auth_serversupplied_infoAndrew Bartlett2-34/+23
This makes everything reference a server_info->sids list, which is now a struct dom_sid *, not a struct dom_sid **. This is in keeping with the other sid lists in the security_token etc. In the process, I also tidy up the talloc tree (move more structures under their logical parents) and check for some possible overflows in situations with a pathological number of sids. Andrew Bartlett
2011-01-17s4-dsdb: replaced the calls to ldb_search() in dsdb modules with ↵Andrew Tridgell4-26/+32
dsdb_module_search() this ensures we follow the module stack, and set the parent on child requests
2011-01-17s4-dsdb: pass parent request to dsdb_module_*() functions Andrew Tridgell24-231/+331
this preserves the request hierarchy for dsdb_module_*() calls inside dsdb ldb modules Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-01-14s4:samldb LDB module - fix "userAccountControl" handlingMatthias Dieter Wallnöfer1-8/+20
"UF_ACCOUNTDISABLE" is only added automatically if no "userAccountControl" flags are set on LDAP add operations. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Fri Jan 14 18:29:07 CET 2011 on sn-devel-104
2011-01-14s4-dsdb: only enforce the extended dn rules over ldapAndrew Tridgell1-2/+21
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Fri Jan 14 07:23:31 CET 2011 on sn-devel-104
2011-01-14s4-dsdb: removed the last use of samdb_search_*() from the dsdb ldb modulesAndrew Tridgell1-4/+12
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-01-14s4-dsdb: removed some more samdb_search_*() calls from samldb.cAndrew Tridgell1-26/+69
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-01-14s4-dsdb: replaced another use of samdb_search in a ldb moduleAndrew Tridgell1-4/+10
we should be using the dsdb_module_search*() calls Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-01-14s4-dsdb: fixed primaryGroupID to use dsdb_module_search_dn()Andrew Tridgell1-6/+14
this avoids using a multi-part extended DN in a search that hits the check in extended_dn_in Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-01-14s4-dsdb: fixed filtering of tokengroupsAndrew Tridgell1-5/+3
builtin groups are shown in user tokenGroups searches Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-01-14s4-samdb: give a more useful debug when we can't open the privileges dbAndrew Tridgell1-0/+1
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-01-14s4-dsdb: validate number of extended componentsAndrew Tridgell1-2/+10
this checks that the number of extended components in a DN is valid, to match MS AD behaviour. We need to do this to ensure that our tools don't try to do operations that will be invalid when used against MS servers Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-01-14s4-dsdb Implement tokenGroups expansion directly in ldb operational moduleAndrew Bartlett1-29/+101
This removes a silly cross-dependency between the ldb moudle stack and auth/ Andrew Bartlett
2011-01-12s4:extended_dn_out LDB module - initialise "have_reveal_control"Matthias Dieter Wallnöfer1-1/+1
2010-12-23s4:acl LDB module - "acl_rename" - memory contexts fixupMatthias Dieter Wallnöfer1-5/+19
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Thu Dec 23 22:49:41 CET 2010 on sn-devel-104
2010-12-23s4:acl LDB module - add a missing "talloc_free(tmp_ctx)" in an error pathMatthias Dieter Wallnöfer1-0/+1
Just for consistency. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Thu Dec 23 21:46:38 CET 2010 on sn-devel-104
2010-12-22s4-acl: Implementation of Validated-SPN validated writeNadezhda Ivanova1-0/+215
If this right is granted to a user, they may modify the SPN of an object with some value restrictions serviceName can be set only if the object is a DC, and then only to the default domain and netbios name, or ntds_guid._msdsc_.forest_domain. If the serviceType is GC, only to the forest root domain. If the serviceType is ldap, then to forest_domain or netbiosname. InstanceType can be samAccountName or dnsHostName.
2010-12-21s4-auth Remove duplicate copies of session_info creation codeAndrew Bartlett1-5/+22
We now just do or do not call into LDB based on some flags. This means there may be some more link time dependencies, but we seem to deal with those better now. Andrew Bartlett
2010-12-21s4-auth rework session_info handling not to require an auth contextAndrew Bartlett1-1/+1
This reverts a previous move to have this based around the auth subsystem, which just spread auth deps all over unrelated code. Andrew Bartlett
2010-12-21s4-auth Remove event context from privilage database handlingAndrew Bartlett2-7/+4
These local TDB operations can quite safely be handled in a new/nested event context, rather than using the main event context. Andrew Bartlett
2010-12-18Revert "s4-dsdb Don't talloc_free() ares on failure, as LDB might free it later"Andrew Bartlett1-0/+1
This reverts commit 25163380239abbad28f1656c42e6fab1b92473d9 because further analyis showed the real problem was introduced in 0941099a (which changed the caller behaviour, but only for indexed searches). Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sat Dec 18 02:19:59 CET 2010 on sn-devel-104
2010-12-18ldb: Rename controls_except_specified -> ldb_controls_except_specified.Jelmer Vernooij1-2/+2
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sat Dec 18 01:33:24 CET 2010 on sn-devel-104
2010-12-18ldb: Rename last instance of save_controls -> ldb_save_controls.Jelmer Vernooij1-1/+1
2010-12-16s4-dsdb Don't talloc_free() ares on failure, as LDB might free it laterAndrew Bartlett1-1/+0
We need to make LDB consistent here (indexed vs unindexed behaviour differs here!), but for the moment this is the easiest way out of a segfault. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 16 06:42:56 CET 2010 on sn-devel-104
2010-12-15s4-dsdb: Fixed incorrect LDAP return code when anonymous login is used.Nadezhda Ivanova1-1/+1
2010-12-13s4:dsdb:password_hash: verify content if the BYPASS_PASSWORD_HASH control is ↵Stefan Metzmacher1-2/+395
used Make it much harder to import bad data into the password attributes. This isn't 100% safe, but much better than no checks. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Mon Dec 13 16:17:36 CET 2010 on sn-devel-104
2010-12-13s4:dsdb:util: dsdb_get_single_valued_attr() only needs a const ldb_messagesStefan Metzmacher1-1/+1
metze
2010-12-08s4-acl: Replaced talloc_reference with talloc_steal, as aclread is the only ↵Nadezhda Ivanova1-6/+3
one using this result message. No need to reference as no one further up the stack uses the result, it is the result of a secondary request sent by aclread. As a result from code review by Kamen Mazdrashki and Anatoliy Atanasov Autobuild-User: Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date: Wed Dec 8 15:01:51 CET 2010 on sn-devel-104
2010-12-08s4-acl: Changed the mechanism of attribute removal to speed it up.Nadezhda Ivanova1-41/+88
Instead of using ldb_msg_remove_attr, now we are flagging the attributes to be removed, and allocating the new elements array to be returned at once. This seems to decrease the overhead by 50 percent. Autobuild-User: Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date: Wed Dec 8 12:00:27 CET 2010 on sn-devel-104
2010-12-08s4-dsdb: register samba handlers in dsdb moduleAndrew Tridgell1-0/+6
2010-12-06s4-acl: Remove unused variables from aclread module.Nadezhda Ivanova1-8/+0
Autobuild-User: Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date: Mon Dec 6 16:48:35 CET 2010 on sn-devel-104
2010-12-06s4:acl_read LDB module - fix attributes listMatthias Dieter Wallnöfer1-1/+1
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Mon Dec 6 15:11:44 CET 2010 on sn-devel-104
2010-12-06s4-acl: Some optimisation of the aclread moduleNadezhda Ivanova1-58/+75
Modified the aclread module to now insert the attributes needed to perform access checks in the same request, instead of doind a separate search per entry. Also, instanceType is now used to determine id the object has a parent instead of parentGUID, which saves one additional search in operational. Autobuild-User: Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date: Mon Dec 6 13:50:19 CET 2010 on sn-devel-104
2010-12-06s4-acl: Moved aclread module below descriptor and acl.Nadezhda Ivanova1-1/+1
The aclread needs to be belod descriptor, as it needs to have the full nTsecurityDescriptor to make the checks, and the descriptor module may filter out parts of it if SD_FLAGS_CONTROL is provided.
2010-12-06s4:fix some shadowed declaration warnings on Solaris by renaming the symbolsMatthias Dieter Wallnöfer1-10/+15
2010-12-06s4-repl_meta_data: Print function name when we can't find attribute in ↵Kamen Mazdrashki1-1/+2
Schema cache Same error message is printed by linked_attributes.c module and it was really hard to tell where the error occurred Autobuild-User: Kamen Mazdrashki <kamenim@samba.org> Autobuild-Date: Mon Dec 6 00:05:59 CET 2010 on sn-devel-104