| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Let us do the distinction by real use and provision by the RELAX flag
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
We intend to see always all objects with the "show_deleted" control specified.
To see also recycled objects (beginning with 2008_R2 function level) we need to
use the new "show_recycled" control.
As far as I see this is only internal code and therefore we don't run into
problems if we do substitute it.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
This is needed if the SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE flag was specified
and the parent is renamed.
To be able to do this we also need to relax the constraint checks (using the
"isDeleted" proof).
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
MS-ADTS 3.1.1.3.4.1 and MS-ADTS 3.1.1.5.5
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE flag
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
The deleted objects (tombstones, recycled & deleted objects) are handled by
"repl_meta_data".
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
This is what Windows does
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
A typo prevented the right behaviour.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
we need to ensure we only ever compare USNs from the same originating
invocation ID.
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sat Oct 2 01:45:19 UTC 2010 on sn-devel-104
|
|
we could use old_el after the base message had been re allocated, due
to adding timestamps. We need to re-find the element before using it
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
It is more useful to fail the transaction and give the user an error
message than to assert when we have an error in the repl_meta_data
module
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
when we setup the krbtgt_NNNN account using the DCPROMO_OID control,
we also need to set an initial password for this account
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
A RODC cannot assume a role, and unwillingToPerform must be
returned if such request is sent via LDAP
|
|
If we don't we could show an old, incrorrect error
|
|
|
|
|
|
It is the same as ldb_request_add_control, except it will replace
an existing control.
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Mon Sep 27 19:00:38 UTC 2010 on sn-devel-104
|
|
It is currently enabled only if the request comes from the LDAP server, and is
disabled by default. Use acl:search=true in smb.conf to enable it.
It filters out all objects the user is not allowed to see, and all attributes
the user does not have RP on. Extended access not supported yet.
|
|
againts Windows
These tests will fail in make test as well if the acl_read module is enabled.
|
|
Similar to dsdb_check_access_on_dn, only it searches by guid.
|
|
We need these to be accessible to the aclread module as well.
|
|
|
|
the S-1-5-9 SID is added in the PAC by the KDC, not on the server that
receives the PAC
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104
|
|
connections
|
|
|
|
this allows you to call dsdb_req_chain_debug() in gdb or when writing
debug code to see the request chain
|
|
we don't want a refsFrom on the Rid Manage$ DN
Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
|
|
|
|
This creates keytab entries with all the servicePrincipalNames listed
in the secrets.ldb entry.
Andrew Bartlett
|
|
This code never really belonged in the credentials layer, and
is easier done with direct access to the ldb_message that is
in secrets.ldb.
Andrew Bartlett
|
|
be casefolded correctly
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
"show_deleted" LDB module
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
This helps to fix bug #7347. "dsServiceName" cannot be made dynamic in such a
simple way since it's already needed on LDB initialisation time.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
with a primary group specified
It can only be changed afterwards. We allow a "relax"ed exception for the
provision state since we need this for the guest account.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
detection also on modify operations
Also requested by MS-SAMR 3.1.1.8.1.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
system.
|
|
NC's other than default NC had a parentGUID, due to an incorrect check of whether
the object has a parent. Fixed by checking object's instanceType instead.
|
|
We were disallowing repsFrom store as a RODC on the basis that it is a
write to the directory. It should be allowed, as its is a
non-replicated attribute.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
