summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb
AgeCommit message (Collapse)AuthorFilesLines
2013-08-19samdb: Fix CID 1034910 Dereference before null checkVolker Lendecke1-3/+3
strncmp("tdb://", sam_name, 6) dereferences sam_name. Check for NULL before that. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-19samdb: Fix CID 1034910 Dereference before null checkVolker Lendecke1-3/+3
strncmp("tdb://", sam_name, 6) dereferences sam_name. Check for NULL before that. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-19samdb: Fix CID 1034910 Dereference before null checkVolker Lendecke1-3/+3
strncmp("tdb://", secrets_ldb, 6) dereferences secrets_ldb. Check for NULL before that. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-06drs-cracksname: fix problems that prevented to pass our torture testsMatthieu Patou1-6/+21
Some of the problems where also reported by Microsoft testing tools Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlett <abarlett@samba.org>
2013-08-06drs-crackname: Fix error code so that we have the same as windowsMatthieu Patou1-0/+1
Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlett <abarlett@samba.org>
2013-08-06drs-cracknames: When cracking NT4 names we should just look at netbios for ↵Matthieu Patou1-2/+1
the match Looking at dnsRoot will yield a result for domain.tld\username when it shouldn't work. Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlett <abarlett@samba.org>
2013-08-06drs-crackname: Fix cracknames for the format UNKNOWN when the data is ↵Matthieu Patou1-1/+4
actually a GUID The cannonical crackname expect a "/" or it returns DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR, when doing UNKNOWN format it's not an error to not have a "/" in the name to crack it's just a sign the name is not a cannonical one. Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlett <abarlett@samba.org>
2013-07-30dsdb: Include MS-ADTS doc references on deleted object contstraintsAndrew Bartlett1-0/+16
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-30dsdb: Improve DRS deleted link source/target handing in repl_meta_dataAndrew Bartlett1-8/+97
We now correctly ignore the link updates if the source or target is deleted locally. This fixes the long-standing failure in the vampire_dc dbcheck test. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
2013-07-30dsdb: Ensure we always force deleted objects back under the deleted objects DNAndrew Bartlett1-26/+65
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-30dsdb/repl_meta_data: split out replmd_deletion_state()Stefan Metzmacher1-31/+71
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-07-30dsdb: Prune deleted objects of links and extra attributes of replicated deletesAndrew Bartlett1-71/+199
When an object is deleted, the links to be removed are not propogated, you have to watch out for them manually! We do this by calling back into the originating update delete code (ie what is called if you ldb_delete() locally) so that any extra attribute found locally and not on the remote server becomes removed remotely too. We currently do the same with links, but that isn't strictly correct, but for now our getNCChanges server code filters these out, so only the usn is bumped. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-25dsdb/samdb: use RECYCLED it implies DELETED...Stefan Metzmacher2-3/+3
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2013-07-24dsdb-ridalloc: Rework ridalloc to return error strings where RID allocation ↵Andrew Bartlett1-15/+41
fails We now also only poke the RID manager once per request. This may help track down why RID allocation can fail, as while we never wait for the RID set to be created/updated, it may be the only clue the admin gets as to why the async allocations were failing. Andrew Bartlett Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-24dsdb: Rework subtree_rename module to use recursive LDB_SCOPE_ONELEVEL searchesAndrew Bartlett2-104/+99
This should be more efficient, particularly in the leaf node case when renaming and deleting entries on large databases. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-24dsdb-descriptor: Do not do a subtree search unless we have child entriesAndrew Bartlett1-1/+32
This avoids a subtree search here in most cases where an object is deleted. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-04dsdb-ridalloc: Fix RID pools - RID numbers increase too quicklyAndrew Bartlett1-1/+2
A patch by Cove Schneider <cove_s@yahoo.com> who reports: I noticed that the RID numbers seem to increase incrementally, then will suddenly jump by 124501. Unless I'm misunderstanding, shouldn't RID pool allocations just be 500 at a time? e.g. Adding accounts one after another on a single test instance here's how they're incrementing (from 4.0.6): 1596 1597 1598 1599 126100 126101 126102 ... 126599 251100 ... 251599 376100 ... The problem is that this complicates using sssd's AD integration, as that it doesn't expect the RIDs to increase in a single domain so quickly. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Jul 4 20:13:05 CEST 2013 on sn-devel-104
2013-06-19build: Build with system md5.h on OpenIndianaAndrew Bartlett1-1/+1
This changes (again...) our system md5 detection to cope with how OpenIndiana does md5. I'm becoming increasingly convinced this isn't worth our while (we should have just done samba_md5...), but for now this change seems to work on FreeBSD, OpenIndiana and Linux with libbsd. This needs us to rename struct MD5Context -> MD5_CTX, but we provide a config.h define to rename the type bad if MD5_CTX does not exist (it does however exist in the md5.h from libbsd). Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Jun 19 21:32:36 CEST 2013 on sn-devel-104
2013-06-13dsdb repl_meta_data: Use dsdb_request_add_controls()Andrew Bartlett1-18/+1
This makes the code easier to read. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Jun 13 11:15:01 CEST 2013 on sn-devel-104
2013-06-12dsdb: Fix behaviour for when to update the USN when there is no changeAndrew Bartlett1-6/+28
This handles deletions and replacements with no value, or with an exactly specified value, as well as modifies. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2013-06-11Revert "s4-dsdb: Remove strcasecmp() fallback in ↵Andrew Bartlett1-0/+7
replmd_ldb_message_element_attid_sort" This reverts commit d799b25dd3ed0f72ee03949225ba241c5538d7d6. Sometimes the schema just isn't right. A segfault is not the correct answer in those cases. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-06-10s4:samldb LDB module - MS-SAMR 3.1.1.8.10 "userAccountControl"Matthias Dieter Wallnöfer1-16/+66
"UF_LOCKOUT" and "UF_PASSWORD_EXPIRED" are never stored but rather are used for special semantics. "UF_LOCKOUT" performs an account lockout and "UF_PASSWORD_EXPIRED" forces password expiration. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Jun 10 07:32:35 CEST 2013 on sn-devel-104
2013-06-05s4:samldb LDB module - permit "userAccountControl" modifications without ↵Matthias Dieter Wallnöfer1-2/+26
acct. type Obviously this defaults to UF_NORMAL_ACCOUNT. Some background can be found in MS-SAMR section 3.1.1.8.10. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Jun 5 03:26:25 CEST 2013 on sn-devel-104
2013-06-05s4:samldb LDB module - "userAccountControl" = 0 means UF_NORMAL_ACCOUNT on addMatthias Dieter Wallnöfer1-3/+11
Windows Server 2008 has changed semantics in comparison to Server 2003. Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-28dsdb-repl_meta_data: Move TODO comment about conflicts and missing parentsAndrew Bartlett1-9/+4
Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue May 28 18:11:00 CEST 2013 on sn-devel-104
2013-05-28dsdb-repl_meta_data: Handle renames better, considering only the RDN as ↵Andrew Bartlett1-76/+141
given, and then the parent as given This ignores the full DN as given, because the parent compents might be out of date. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-28dsdb-linked_attributes: Do not crash if the target GUID can not be foundAndrew Bartlett1-0/+15
Note that we must not give an error when we cannot find the object that should hold the backlink, there really isn't anything we can do in this case. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-20Fix warning by setting the variable from GUID to const GUIDMatthieu Patou1-1/+2
Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-20Fix more unused varsMatthieu Patou1-2/+1
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-20Fix a warning about a set but unused variable by actually using itMatthieu Patou1-0/+5
Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-20operational: remove double loopsMatthieu Patou1-31/+47
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-16dsdb: Expand on what the error finding the ntSecurityDescriptor was in acl_readAndrew Bartlett1-2/+8
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-15source4/dsdb/samdb/ldb_modules/local_password.c: Fix typo in comment.Karolin Seeger1-1/+1
Signed-off-by: Karolin Seeger <kseeger@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2013-05-14dsdb: make the name of non related class more obviousMatthieu Patou1-2/+3
Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-04-19s4:dsdb: Fix warnings about not set / set but unused / shadowed variablesMatthieu Patou6-17/+5
Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Apr 19 13:15:40 CEST 2013 on sn-devel-104
2013-02-22dsdb-descriptor: Avoid segfault copying an SD without an owner or groupAndrew Bartlett1-4/+12
This is an unusual SD, but it does exist is some very old upgraded databases. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Feb 22 11:06:17 CET 2013 on sn-devel-104
2013-02-22dsdb-descriptor: Spell out security descriptor flags as constantsAndrew Bartlett2-2/+2
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-02-20ntdb: switch between secrets.tdb and secrets.ntdb depending on 'use ntdb'Rusty Russell1-3/+10
Since we open with dbwrap, it auto-converts old tdbs (which it will rename to secrets.tdb.bak once it's done). Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Rusty Russell <rusty@rustcorp.com.au> Autobuild-Date(master): Wed Feb 20 07:09:19 CET 2013 on sn-devel-104
2013-02-08dsdb-operational: rework the loop for attribute removalMatthieu Patou1-41/+92
Instead of doing ldb_in_list size(operational_remove) * (attrs_user + attr_searched) * number of entries times to get the list of attributes to remove we construct this list before the search and then use it for every entries. Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-02-08replmetadata: raise msg level for conflict resolution so that we don't ↵Matthieu Patou1-2/+2
polute logs Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-02-08dsdb-cracknames: Fix potential double free and memory leaksMatthieu Patou1-2/+4
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-02-04dsdb/password_hash: rename variable 'stat' to 'vstat'Stefan Metzmacher1-5/+5
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2013-02-04dsdb/password_hash: make sure that io->n.cleartext_utf8.data is a null ↵Stefan Metzmacher1-0/+23
terminated string Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2013-01-27dsdb-descriptor: get_default_group() should always return the DAG sid (bug ↵Stefan Metzmacher1-5/+10
#9481) Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-23dsdb-acl: remove unused variableStefan Metzmacher1-1/+0
Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Jan 23 20:04:09 CET 2013 on sn-devel-104
2013-01-21dsdb: Fix warning about unused varMatthieu Patou1-2/+0
Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Mon Jan 21 17:51:16 CET 2013 on sn-devel-104
2013-01-21dsdb: Explain ordering constraints on the ACL module as well.Andrew Bartlett1-2/+2
Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb: Ensure "authenticated users" is processed for group membershipsAndrew Bartlett1-31/+0
This change moves the addition of "Authenticated Users" from the very end of the token processing to the start. The reason is that we need to see if "Authenticated Users" is a member of other builtin groups, just as we would for any other SID. This picks up the "Pre-Windows 2000 Compatible Access" group, which is in turn often used in ACLs on LDAP objects. Without this change, the eventual token does not contain S-1-5-32-554 and users other than "Administrator" are unable to read uidNumber (in particular). Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21libcli/security: handle node initialisation in one spot in ↵Andrew Bartlett1-8/+8
insert_in_object_tree() This removes special-case for initalising the children array in insert_in_object_tree(). talloc_realloc() handles the intial allocate case perfectly well, so there is no need to have this duplicated. This also restores having just one place were the rest of the elements are intialised, to ensure uniform behaviour. To do this, we have to rework insert_in_object_tree to have only one output variable, both because having both root and new_node as output variables was too confusing, and because otherwise the two pointers were being allowed to point at the same memory. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: the SEC_ADS_DELETE_CHILD checks need objectclass->schemaIDGUIDStefan Metzmacher1-2/+7
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>