summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb
AgeCommit message (Collapse)AuthorFilesLines
2010-09-12s4:samldb LDB module - simplify the message handling on add and modify ↵Matthias Dieter Wallnöfer1-33/+28
operations We perform always only one shallow copy operation of the message on the "req" context. This allows to free the "ac" context when we've prepared all our changes.
2010-09-12s4:samldb LDB module - move "samldb_prim_group_users_check" more down to see ↵Matthias Dieter Wallnöfer1-41/+41
that it is only in use by the delete operation add and modify helpers will stay on the top of the add and modify operation since they will likely be shared as much as possible.
2010-09-12s4:samldb LDB module - add a comment to mark the beginning of the extended ↵Matthias Dieter Wallnöfer1-0/+2
operation handler
2010-09-12s4:samldb LDB module - refactor "samldb_find_for_defaultObjectCategory" to ↵Matthias Dieter Wallnöfer1-94/+22
be again synchronous Also to make it easier to comprehend
2010-09-12s4:samldb LDB module - refactor the "primaryGroupID" check on user creationMatthias Dieter Wallnöfer1-137/+39
This looks more straight-forward now.
2010-09-12s4:samldb LDB module - get rid of the SID context variableMatthias Dieter Wallnöfer1-20/+17
Since we get more and more rid of async stuff we don't need this in the context anymore.
2010-09-12s4:samldb LDB module - use also here the real attribute denomination ↵Matthias Dieter Wallnöfer1-1/+1
"sAMAccountName" Purely cosmetic - but nicer to read
2010-09-12s4:samldb LDB module - rename "check_SamAccountType" into "check_sAMAccountType"Matthias Dieter Wallnöfer1-5/+4
And a small cosmetic change. I like to have the real attribute names in the function denominations
2010-09-12s4:samldb LDB module - make "samldb_check_sAMAccountName" synchronous againMatthias Dieter Wallnöfer1-71/+19
To make it more understandable
2010-09-11libcli/security Use talloc_zero when making a struct security_tokenAndrew Bartlett1-2/+0
2010-09-11s4-privs Seperate rights and privilegesAndrew Bartlett1-2/+6
These are related, but slightly different concepts. The biggest difference is that rights are not enumerated as a system-wide list. This moves the rights to security.idl due to dependencies. Andrew Bartlett
2010-09-11libcli/security make sec_privilege_id() return SEC_PRIV_INVALID on failure.Andrew Bartlett1-1/+1
Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-10s4/fsmo: Change return type from NTSTATUS to WERROR for drepl_takeFSMOroleAnatoliy Atanasov1-2/+3
This removed an unnecessary conversion of the return type in drepl_take_FSMO_role.
2010-09-10s4-fsmo: update FSMO changes for recent IRPC workAndrew Tridgell1-4/+10
the IRPC API has changed Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-10s4-ldap: Added support for FSMO role transfer via LDAP by modify on rootDSENadezhda Ivanova1-1/+46
GetNCChanges with the corresponding extended operation is initiated and added to the queue when a modify request is received on becomeSchemaMaster, becomeRidMaster, becomeNamingMaster, becomeInfrastructureMaster and becomePDC attributes in rootDSE.
2010-09-09s4-dsdb Change debug levels for startup messagesAndrew Bartlett2-10/+10
We should make the 'common' error not show up, but the unusal case fatal. Andrew Bartlett
2010-09-05dsdb: make the ATTRIBUTE NOT FOUND more clearMatthieu Patou1-0/+3
2010-09-04dsdb: Add missing dependencies for dsdb ldb modules.Jelmer Vernooij1-2/+2
2010-09-02s4:dsdb Fix attribute being searched for in dereference against Fedora DSAndrew Bartlett1-1/+1
The problem here is that these attributes are not mapped in the simple_ldap_map, and they were changed a while back. Andrew Bartlett
2010-09-02s4:dsdb Make the dereference control critical if input is criticalAndrew Bartlett1-1/+3
This helps us ensure that the backend knows about and respects the dereference control if our caller has asked that the extended DN control be considered critical. Andrew Bartlett
2010-09-02s4:dsdb Don't reload the schema against OpenLDAP backendAndrew Bartlett2-3/+13
The schema should be considered read-only when we are using the OL backend, as we can't update the backend schema in real time anyway. Andrew Bartlett
2010-08-27s4-dsdb: Fixed a compiler warning.Nadezhda Ivanova1-1/+0
2010-08-26s4:dsdb_module_find_dsheuristics - free the "DN" also on other exit casesMatthias Dieter Wallnöfer1-0/+2
2010-08-26s4-dsdb: Removed an unnecessary space in dsdb_module_find_dsheuristics()Nadezhda Ivanova1-1/+1
2010-08-26s4-dsdb: Added utility functions for retrieving dSHeuristics from the module ↵Nadezhda Ivanova1-0/+47
stack Also a function to check dsHeuristics value to determine of anonymous access should be blocked
2010-08-23s4:security Change struct security_token->sids from struct dom_sid * to ↵Andrew Bartlett5-29/+26
struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett
2010-08-20s4-dsdb: the RODC_JOIN control also changes samAccountNameAndrew Tridgell1-9/+13
when adding a user with the RODC_JOIN control, the samAccountName is automatically set to the krbtgt_NNNNN form Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-19s4: fix few comment typosKamen Mazdrashki1-2/+2
2010-08-19s4-dsdb: Use dsdb_syntax_ctx in *_validate_ldb functionsKamen Mazdrashki1-1/+5
2010-08-18s4:auth Change {anonymous,system}_session to use common session_info generationAndrew Bartlett1-2/+4
This also changes the primary group for anonymous to be the anonymous SID, and adds code to detect and ignore this when constructing the token. Andrew Bartlett
2010-08-18s4:security Remove use of user_sid and group_sid from struct security_tokenAndrew Bartlett3-6/+6
This makes the structure more like Samba3's NT_USER_TOKEN
2010-08-17s4:password_hash LDB module - perform the adaptions to understand the new ↵Matthias Dieter Wallnöfer1-8/+26
password change control
2010-08-17s4:acl LDB module - support password changes over the ↵Matthias Dieter Wallnöfer1-1/+15
DSDB_CONTROL_PASSWORD_CHANGE_OID control This control is used from the SAMR and "kpasswd" password changes. It is strictly private and means "this is a password change and not a password set".
2010-08-17s4:DSDB - DSDB_CONTROL_PASSWORD_CHANGE_OID - add a structure as value to the ↵Matthias Dieter Wallnöfer1-0/+5
control This contains the NT and/or LM hash of the password specified by the user.
2010-08-17s4:DSDB - rename the "DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID"Matthias Dieter Wallnöfer2-9/+8
Rename it to "DSDB_CONTROL_PASSWORD_CHANGE_OID". This control will afterwards contain a record with the specified old password as NT and/or LM hash.
2010-08-17s4-dsdb: check the type of session_info from the opaqueAndrew Tridgell1-2/+2
we saw a crash with a bad pointer here, and this may help track it down Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17s4-dsdb: added support for UF_PARTIAL_SECRETS_ACCOUNTAndrew Tridgell1-2/+9
when this is in user_account_control the account is a RODC, and we need to set the primaryGroupID to be DOMAIN_RID_READONLY_DCS Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17s4-dsdb: cope with cracknames of form dnsdomain\accountAndrew Tridgell1-2/+8
this is used by w2k8r2 when doing a RODC dcpromo Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17s4-dsdb: set LDB_FLAG_INTERNAL_DISABLE_VALIDATION for msDS-SecondaryKrbTgtNumberAndrew Tridgell1-1/+8
msDS-SecondaryKrbTgtNumber is setup with a value that is outside the range allowed by the schema (the schema has rangeLower==rangeUpper==65536). We need to mark this element as being internally generated to avoid the range checks Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17s4-ldb: added LDB_FLAG_INTERNAL_DISABLE_VALIDATIONAndrew Tridgell1-7/+9
When this flag is set on an element in an add/modify request then the normal validate_ldb() call that checks the element against schema constraints is disabled Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17s4-ldb: use LDB_FLAG_MOD_TYPE() to extract element type from messagesAndrew Tridgell4-15/+15
The flags field of message elements is part of a set of flags. We had LDB_FLAG_MOD_MASK for extracting the type, but it was only rarely being used (only 1 call used it correctly). This adds LDB_FLAG_MOD_MASK() to make it more obvious what is going on. This will allow us to use some of the other flags bits for internal markers on elements Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17s4-dsdb: support LDB_CONTROL_RODC_DCPROMO_OID for nTDSDSA addAndrew Tridgell1-1/+24
this control disables the system only check for nTDSDSA add operations Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17s4-dsdb: fixed test for LDB_CONTROL_RODC_DCPROMO_OIDAndrew Tridgell1-1/+1
the ldb_msg_add_fmt() call returns LDB_SUCCESS on success
2010-08-17s4-dsdb: added support for LDB_CONTROL_RODC_DCPROMO_OIDAndrew Tridgell1-0/+69
this control adds a unique msDS-SecondaryKrbTgtNumber attribute to a user object. There is some 'interesting' interaction with the rangeLower and rangeUpper attributes and this add. We don't implementat rangeLower/rangeUpper yet, but when we do we'll need an override for this control (or be careful about module ordering). Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-15s4:password_hash LDB module - introduce the extended LDAP error codes on the ↵Matthias Dieter Wallnöfer1-43/+72
important failure cases
2010-08-15s4:password_hash LDB module - support this new password set syntaxMatthias Dieter Wallnöfer1-2/+10
2010-08-15s4:password_hash LDB module - allow to compare against both NT and LM hashes ↵Matthias Dieter Wallnöfer1-10/+1
on password change operations This is to match the SAMR password change behaviour.
2010-08-15s4:subtree_rename.c - relax the checks when requestedMatthias Dieter Wallnöfer1-0/+5
(Needed by upgradeprovision for example)
2010-08-14s4:password_hash LDB module - improve an error messageMatthias Dieter Wallnöfer1-2/+2
2010-08-14s4:password_hash LDB module - implement the SAMR behaviour when checking old ↵Matthias Dieter Wallnöfer1-5/+16
passwords Sooner or later this module should take over all password change actions.