Age | Commit message (Collapse) | Author | Files | Lines | |
---|---|---|---|---|---|
2010-08-27 | s4-dsdb: Fixed a compiler warning. | Nadezhda Ivanova | 1 | -1/+0 | |
2010-08-26 | s4:dsdb_module_find_dsheuristics - free the "DN" also on other exit cases | Matthias Dieter Wallnöfer | 1 | -0/+2 | |
2010-08-26 | s4-dsdb: Removed an unnecessary space in dsdb_module_find_dsheuristics() | Nadezhda Ivanova | 1 | -1/+1 | |
2010-08-26 | s4-dsdb: Added utility functions for retrieving dSHeuristics from the module ↵ | Nadezhda Ivanova | 1 | -0/+47 | |
stack Also a function to check dsHeuristics value to determine of anonymous access should be blocked | |||||
2010-08-23 | s4:security Change struct security_token->sids from struct dom_sid * to ↵ | Andrew Bartlett | 5 | -29/+26 | |
struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett | |||||
2010-08-20 | s4-dsdb: the RODC_JOIN control also changes samAccountName | Andrew Tridgell | 1 | -9/+13 | |
when adding a user with the RODC_JOIN control, the samAccountName is automatically set to the krbtgt_NNNNN form Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> | |||||
2010-08-19 | s4: fix few comment typos | Kamen Mazdrashki | 1 | -2/+2 | |
2010-08-19 | s4-dsdb: Use dsdb_syntax_ctx in *_validate_ldb functions | Kamen Mazdrashki | 1 | -1/+5 | |
2010-08-18 | s4:auth Change {anonymous,system}_session to use common session_info generation | Andrew Bartlett | 1 | -2/+4 | |
This also changes the primary group for anonymous to be the anonymous SID, and adds code to detect and ignore this when constructing the token. Andrew Bartlett | |||||
2010-08-18 | s4:security Remove use of user_sid and group_sid from struct security_token | Andrew Bartlett | 3 | -6/+6 | |
This makes the structure more like Samba3's NT_USER_TOKEN | |||||
2010-08-17 | s4:password_hash LDB module - perform the adaptions to understand the new ↵ | Matthias Dieter Wallnöfer | 1 | -8/+26 | |
password change control | |||||
2010-08-17 | s4:acl LDB module - support password changes over the ↵ | Matthias Dieter Wallnöfer | 1 | -1/+15 | |
DSDB_CONTROL_PASSWORD_CHANGE_OID control This control is used from the SAMR and "kpasswd" password changes. It is strictly private and means "this is a password change and not a password set". | |||||
2010-08-17 | s4:DSDB - DSDB_CONTROL_PASSWORD_CHANGE_OID - add a structure as value to the ↵ | Matthias Dieter Wallnöfer | 1 | -0/+5 | |
control This contains the NT and/or LM hash of the password specified by the user. | |||||
2010-08-17 | s4:DSDB - rename the "DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID" | Matthias Dieter Wallnöfer | 2 | -9/+8 | |
Rename it to "DSDB_CONTROL_PASSWORD_CHANGE_OID". This control will afterwards contain a record with the specified old password as NT and/or LM hash. | |||||
2010-08-17 | s4-dsdb: check the type of session_info from the opaque | Andrew Tridgell | 1 | -2/+2 | |
we saw a crash with a bad pointer here, and this may help track it down Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> | |||||
2010-08-17 | s4-dsdb: added support for UF_PARTIAL_SECRETS_ACCOUNT | Andrew Tridgell | 1 | -2/+9 | |
when this is in user_account_control the account is a RODC, and we need to set the primaryGroupID to be DOMAIN_RID_READONLY_DCS Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> | |||||
2010-08-17 | s4-dsdb: cope with cracknames of form dnsdomain\account | Andrew Tridgell | 1 | -2/+8 | |
this is used by w2k8r2 when doing a RODC dcpromo Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> | |||||
2010-08-17 | s4-dsdb: set LDB_FLAG_INTERNAL_DISABLE_VALIDATION for msDS-SecondaryKrbTgtNumber | Andrew Tridgell | 1 | -1/+8 | |
msDS-SecondaryKrbTgtNumber is setup with a value that is outside the range allowed by the schema (the schema has rangeLower==rangeUpper==65536). We need to mark this element as being internally generated to avoid the range checks Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> | |||||
2010-08-17 | s4-ldb: added LDB_FLAG_INTERNAL_DISABLE_VALIDATION | Andrew Tridgell | 1 | -7/+9 | |
When this flag is set on an element in an add/modify request then the normal validate_ldb() call that checks the element against schema constraints is disabled Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> | |||||
2010-08-17 | s4-ldb: use LDB_FLAG_MOD_TYPE() to extract element type from messages | Andrew Tridgell | 4 | -15/+15 | |
The flags field of message elements is part of a set of flags. We had LDB_FLAG_MOD_MASK for extracting the type, but it was only rarely being used (only 1 call used it correctly). This adds LDB_FLAG_MOD_MASK() to make it more obvious what is going on. This will allow us to use some of the other flags bits for internal markers on elements Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> | |||||
2010-08-17 | s4-dsdb: support LDB_CONTROL_RODC_DCPROMO_OID for nTDSDSA add | Andrew Tridgell | 1 | -1/+24 | |
this control disables the system only check for nTDSDSA add operations Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> | |||||
2010-08-17 | s4-dsdb: fixed test for LDB_CONTROL_RODC_DCPROMO_OID | Andrew Tridgell | 1 | -1/+1 | |
the ldb_msg_add_fmt() call returns LDB_SUCCESS on success | |||||
2010-08-17 | s4-dsdb: added support for LDB_CONTROL_RODC_DCPROMO_OID | Andrew Tridgell | 1 | -0/+69 | |
this control adds a unique msDS-SecondaryKrbTgtNumber attribute to a user object. There is some 'interesting' interaction with the rangeLower and rangeUpper attributes and this add. We don't implementat rangeLower/rangeUpper yet, but when we do we'll need an override for this control (or be careful about module ordering). Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> | |||||
2010-08-15 | s4:password_hash LDB module - introduce the extended LDAP error codes on the ↵ | Matthias Dieter Wallnöfer | 1 | -43/+72 | |
important failure cases | |||||
2010-08-15 | s4:password_hash LDB module - support this new password set syntax | Matthias Dieter Wallnöfer | 1 | -2/+10 | |
2010-08-15 | s4:password_hash LDB module - allow to compare against both NT and LM hashes ↵ | Matthias Dieter Wallnöfer | 1 | -10/+1 | |
on password change operations This is to match the SAMR password change behaviour. | |||||
2010-08-15 | s4:subtree_rename.c - relax the checks when requested | Matthias Dieter Wallnöfer | 1 | -0/+5 | |
(Needed by upgradeprovision for example) | |||||
2010-08-14 | s4:password_hash LDB module - improve an error message | Matthias Dieter Wallnöfer | 1 | -2/+2 | |
2010-08-14 | s4:password_hash LDB module - implement the SAMR behaviour when checking old ↵ | Matthias Dieter Wallnöfer | 1 | -5/+16 | |
passwords Sooner or later this module should take over all password change actions. | |||||
2010-08-14 | s4:password_hash LDB module - fix wrong error codes | Matthias Dieter Wallnöfer | 1 | -4/+4 | |
To match the passwords.py test | |||||
2010-08-10 | s4:objectclass LDB module - weak the check for the "rIDSet" delete constraint | Matthias Dieter Wallnöfer | 1 | -8/+10 | |
Perform it only when a "rIDSet" does exist. Requested by ekacnet for "upgradeprovision". | |||||
2010-08-07 | s4:objectclass LDB module - "add operation" - enhance and clean the ↵ | Matthias Dieter Wallnöfer | 1 | -8/+20 | |
"systemFlags" section Also here we have to test for single-valueness. | |||||
2010-08-07 | s4:objectclass LDB module - "add operation" - implement "objectCategory" ↵ | Matthias Dieter Wallnöfer | 1 | -5/+34 | |
validation | |||||
2010-08-07 | s4:objectclass LDB module - "add operation" - reject creation of LSA ↵ | Matthias Dieter Wallnöfer | 1 | -0/+8 | |
specific objects (only using the RELAX flag allowed) | |||||
2010-08-07 | s4:objectclass LDB module - "add operation" - move two checks | Matthias Dieter Wallnöfer | 1 | -17/+12 | |
To be more consistent with the MS-ADTS doc. | |||||
2010-08-07 | s4:objectclass LDB module - "add operation" - deny multiple "objectclass" ↵ | Matthias Dieter Wallnöfer | 1 | -5/+14 | |
message elements Requested by MS-ADTS 3.1.1.5.2.2 | |||||
2010-08-07 | s4:objectclass LDB module - "add" operation - free "mem_ctx" as soon as possible | Matthias Dieter Wallnöfer | 1 | -4/+2 | |
We don't need to have it around until the end of the function. | |||||
2010-08-04 | s4:LDB modules - remove the "kludge_acl" module code | Matthias Dieter Wallnöfer | 1 | -516/+0 | |
Obviously this has been forgotten by Nadya. | |||||
2010-08-04 | s4-dsdb: Removed kludge_acl as it is no longer necessary | Nadezhda Ivanova | 5 | -23/+47 | |
Moved the access check on extended operations to acl module and removed kludge_acl | |||||
2010-08-01 | s4:instancetype LDB module - add checks requested by MS-ADTS 3.1.1.5.2.2 | Matthias Dieter Wallnöfer | 1 | -6/+20 | |
We've to test for the WRITE flag if we are performing an NC add. And if it isn't an NC add then only the WRITE or no flag is allowed. | |||||
2010-08-01 | s4:objectclass LDB module - consider the "instanceType" when adding NCs | Matthias Dieter Wallnöfer | 1 | -10/+18 | |
This is requested by MS-ADTS 3.1.1.5.2.2 (NC add operation). | |||||
2010-08-01 | s4:descriptor LDB module - remove the "forest DN" check | Matthias Dieter Wallnöfer | 1 | -4/+3 | |
Also here we have to work with the default base DN. After some reading I've discovered that this isn't really true. The forest partition does exist on one or more DCs and is there the same as the default base DN (which is already checked by the module). And if we have other DCs which contain child domains then they never contain data of the forest domain beside the schema and the configuration partition (which are checked anyway) since a DC can always contain only one domain! Link: http://www.informit.com/articles/article.aspx?p=26896&seqNum=5 | |||||
2010-08-01 | s4:acl LDB module - remove the "forest DN" check | Matthias Dieter Wallnöfer | 1 | -6/+3 | |
After some reading I've discovered that this isn't really true. The forest partition does exist on one or more DCs and is there the same as the default base DN (which is already checked by the module). And if we have other DCs which contain child domains then they never contain data of the forest domain beside the schema and the configuration partition (which are checked anyway) since a DC can always contain only one domain! Link: http://www.informit.com/articles/article.aspx?p=26896&seqNum=5 | |||||
2010-08-01 | s4:acl LDB module - remove unused call "is_root_base_dn" | Matthias Dieter Wallnöfer | 1 | -8/+0 | |
2010-08-01 | s4:objectclass LDB module - implement additional delete constraint checks | Matthias Dieter Wallnöfer | 1 | -3/+47 | |
MS-ADTS 3.1.1.5.5.3 | |||||
2010-08-01 | s4:subtree_rename LDB module - rename "check_system_flags" into ↵ | Matthias Dieter Wallnöfer | 1 | -9/+43 | |
"check_constraints" and perform more checks Always considering MS-ADTS 3.1.1.5.4.1.2. | |||||
2010-08-01 | s4:subtree_rename LDB module - introduce out of memory checks | Matthias Dieter Wallnöfer | 1 | -0/+4 | |
2010-08-01 | s4:dsdb/samdb/ldb_modules/util.c - remove unused variables | Matthias Dieter Wallnöfer | 1 | -2/+0 | |
2010-08-01 | s4:subtree_rename LDB module - introduce the "systemFlags" protection rules | Matthias Dieter Wallnöfer | 1 | -2/+122 | |
This is done in a dedicated call "check_system_flags". | |||||
2010-07-31 | s4:subtree_rename LDB module - "subren_ctx_init" - fix the "out of memory" ↵ | Matthias Dieter Wallnöfer | 1 | -3/+2 | |
return |