summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb
AgeCommit message (Collapse)AuthorFilesLines
2010-12-23s4:acl LDB module - "acl_rename" - memory contexts fixupMatthias Dieter Wallnöfer1-5/+19
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Thu Dec 23 22:49:41 CET 2010 on sn-devel-104
2010-12-23s4:acl LDB module - add a missing "talloc_free(tmp_ctx)" in an error pathMatthias Dieter Wallnöfer1-0/+1
Just for consistency. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Thu Dec 23 21:46:38 CET 2010 on sn-devel-104
2010-12-22s4-acl: Implementation of Validated-SPN validated writeNadezhda Ivanova1-0/+215
If this right is granted to a user, they may modify the SPN of an object with some value restrictions serviceName can be set only if the object is a DC, and then only to the default domain and netbios name, or ntds_guid._msdsc_.forest_domain. If the serviceType is GC, only to the forest root domain. If the serviceType is ldap, then to forest_domain or netbiosname. InstanceType can be samAccountName or dnsHostName.
2010-12-21s4-auth Remove duplicate copies of session_info creation codeAndrew Bartlett1-5/+22
We now just do or do not call into LDB based on some flags. This means there may be some more link time dependencies, but we seem to deal with those better now. Andrew Bartlett
2010-12-21s4-auth rework session_info handling not to require an auth contextAndrew Bartlett1-1/+1
This reverts a previous move to have this based around the auth subsystem, which just spread auth deps all over unrelated code. Andrew Bartlett
2010-12-21s4-auth Remove event context from privilage database handlingAndrew Bartlett2-7/+4
These local TDB operations can quite safely be handled in a new/nested event context, rather than using the main event context. Andrew Bartlett
2010-12-18Revert "s4-dsdb Don't talloc_free() ares on failure, as LDB might free it later"Andrew Bartlett1-0/+1
This reverts commit 25163380239abbad28f1656c42e6fab1b92473d9 because further analyis showed the real problem was introduced in 0941099a (which changed the caller behaviour, but only for indexed searches). Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sat Dec 18 02:19:59 CET 2010 on sn-devel-104
2010-12-18ldb: Rename controls_except_specified -> ldb_controls_except_specified.Jelmer Vernooij1-2/+2
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sat Dec 18 01:33:24 CET 2010 on sn-devel-104
2010-12-18ldb: Rename last instance of save_controls -> ldb_save_controls.Jelmer Vernooij1-1/+1
2010-12-16s4-dsdb Don't talloc_free() ares on failure, as LDB might free it laterAndrew Bartlett1-1/+0
We need to make LDB consistent here (indexed vs unindexed behaviour differs here!), but for the moment this is the easiest way out of a segfault. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 16 06:42:56 CET 2010 on sn-devel-104
2010-12-15s4-dsdb: Fixed incorrect LDAP return code when anonymous login is used.Nadezhda Ivanova1-1/+1
2010-12-13s4:dsdb:password_hash: verify content if the BYPASS_PASSWORD_HASH control is ↵Stefan Metzmacher1-2/+395
used Make it much harder to import bad data into the password attributes. This isn't 100% safe, but much better than no checks. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Mon Dec 13 16:17:36 CET 2010 on sn-devel-104
2010-12-13s4:dsdb:util: dsdb_get_single_valued_attr() only needs a const ldb_messagesStefan Metzmacher1-1/+1
metze
2010-12-08s4-acl: Replaced talloc_reference with talloc_steal, as aclread is the only ↵Nadezhda Ivanova1-6/+3
one using this result message. No need to reference as no one further up the stack uses the result, it is the result of a secondary request sent by aclread. As a result from code review by Kamen Mazdrashki and Anatoliy Atanasov Autobuild-User: Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date: Wed Dec 8 15:01:51 CET 2010 on sn-devel-104
2010-12-08s4-acl: Changed the mechanism of attribute removal to speed it up.Nadezhda Ivanova1-41/+88
Instead of using ldb_msg_remove_attr, now we are flagging the attributes to be removed, and allocating the new elements array to be returned at once. This seems to decrease the overhead by 50 percent. Autobuild-User: Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date: Wed Dec 8 12:00:27 CET 2010 on sn-devel-104
2010-12-08s4-dsdb: register samba handlers in dsdb moduleAndrew Tridgell1-0/+6
2010-12-06s4-acl: Remove unused variables from aclread module.Nadezhda Ivanova1-8/+0
Autobuild-User: Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date: Mon Dec 6 16:48:35 CET 2010 on sn-devel-104
2010-12-06s4:acl_read LDB module - fix attributes listMatthias Dieter Wallnöfer1-1/+1
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Mon Dec 6 15:11:44 CET 2010 on sn-devel-104
2010-12-06s4-acl: Some optimisation of the aclread moduleNadezhda Ivanova1-58/+75
Modified the aclread module to now insert the attributes needed to perform access checks in the same request, instead of doind a separate search per entry. Also, instanceType is now used to determine id the object has a parent instead of parentGUID, which saves one additional search in operational. Autobuild-User: Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date: Mon Dec 6 13:50:19 CET 2010 on sn-devel-104
2010-12-06s4-acl: Moved aclread module below descriptor and acl.Nadezhda Ivanova1-1/+1
The aclread needs to be belod descriptor, as it needs to have the full nTsecurityDescriptor to make the checks, and the descriptor module may filter out parts of it if SD_FLAGS_CONTROL is provided.
2010-12-06s4:fix some shadowed declaration warnings on Solaris by renaming the symbolsMatthias Dieter Wallnöfer1-10/+15
2010-12-06s4-repl_meta_data: Print function name when we can't find attribute in ↵Kamen Mazdrashki1-1/+2
Schema cache Same error message is printed by linked_attributes.c module and it was really hard to tell where the error occurred Autobuild-User: Kamen Mazdrashki <kamenim@samba.org> Autobuild-Date: Mon Dec 6 00:05:59 CET 2010 on sn-devel-104
2010-12-06s4-linked_attributes: Give more info where an error occuredKamen Mazdrashki1-3/+8
We have exact same error messages at different locations and it is little bit hard to tell where the error came from from the log.
2010-12-06s4-repl_meta_data: Remove duplicated checkKamen Mazdrashki1-2/+0
2010-12-06s4-schema_load: Strip a pointless checkKamen Mazdrashki1-3/+1
If *schema is NULL, then dsdb_schema_from_ldb_results() call should have failed
2010-12-05s4:dsdb/samdb/ldb_modules/util.h - fix a gcc 3.4 compile warningMatthias Dieter Wallnöfer1-1/+1
2010-12-04s4:dsdb/samdb/cracknames.c - fix another memory leakMatthias Dieter Wallnöfer1-0/+1
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sat Dec 4 17:26:39 CET 2010 on sn-devel-104
2010-12-02s4-dsdb/descriptor: comment typoKamen Mazdrashki1-1/+1
2010-12-02s4:dsdb/samdb/cracknames.c - fix various KRB5 memory leaksMatthias Dieter Wallnöfer1-7/+13
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Thu Dec 2 12:35:03 CET 2010 on sn-devel-104
2010-12-02s4:password_hash LDB module - allow empty ("") passwordsMatthias Dieter Wallnöfer1-22/+31
This seems to have been broken some time ago - till someone on the mailing list noticed it. I've also added a testsuite (and some additional SamDB python helpers) which should prove this.
2010-12-01s4:ranged results LDB module - cosmetic - fix some indentationMatthias Dieter Wallnöfer1-1/+3
2010-12-01s4:ranged results LDB module - "rr_search_callback" - change some memory contextMatthias Dieter Wallnöfer1-1/+3
"el->values" could under some circumstances be NULL (see "if" above).
2010-12-01s4-ranged_result.c: Fix memory context for ranged attributes handlingKamen Mazdrashki1-4/+15
Pair-Programmed-With: Zahari Zahariev <zahari.zahariev@postpath.com> Autobuild-User: Kamen Mazdrashki <kamenim@samba.org> Autobuild-Date: Wed Dec 1 11:45:48 CET 2010 on sn-devel-104
2010-11-29s4-dsdb: give full error message for operational failuresAndrew Tridgell1-2/+2
2010-11-27s4:param/secrets.h - fix "enum netr_SchannelType" include correctlyMatthias Dieter Wallnöfer1-1/+0
2010-11-27s4:dsdb/samdb/samdb.h - fix include ordering in order to prevent warnings on ↵Matthias Dieter Wallnöfer1-1/+1
Tru64
2010-11-27s4:role transfer - use always type "enum drepl_role_master" for role ↵Matthias Dieter Wallnöfer1-1/+1
specifications Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sat Nov 27 16:03:43 CET 2010 on sn-devel-104
2010-11-27s4:samba3sam LDB module - correctly print out an unsigned valueMatthias Dieter Wallnöfer1-1/+2
Here we can print it out as unsigned since we are generating a string attribute.
2010-11-27s4:samba3sam LDB module - make the "pw_uid"/"pw_gid" conversion a bit clearerMatthias Dieter Wallnöfer1-2/+6
And remove the "long" specifier since at least on the major platforms (Linux, BSD and Solaris) these types are defined as "uint32_t".
2010-11-26s4:rootdse LDB module - remove unused variableMatthias Dieter Wallnöfer1-1/+0
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Fri Nov 26 13:58:27 CET 2010 on sn-devel-104
2010-11-26s4:objectclass LDB module - simply use "msg" when requesting the messageMatthias Dieter Wallnöfer1-2/+2
2010-11-26s4:objectclass LDB module - move the "mem_ctx" allocation to a better placeMatthias Dieter Wallnöfer1-7/+6
It's only needed if we've a schema around.
2010-11-26s4-dsdb Reorganise and clarify the LSA objectClass check (forbidden on LDAP)Andrew Bartlett1-15/+28
This arranged the check to avoid talloc_strdup() (the schema pointers are constant, and can be relied upon), and checks the untrusted bit first (it is faster), before the ldb_attr_cmp(). The strcmp() here was valid, if unusual, because the ldapDisplayName values are already in the correct case, but strcasecmp() is more correct, as for the small extra cost, we avoid a difficult to diagnose bug later. Andrew Bartlett Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
2010-11-26s4-objectclass Use a specific local variable name, not 'value'Andrew Bartlett1-4/+5
This makes it clearer what the local variable in use here does. Andrew Bartlett Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
2010-11-26s4-dsdb Remove rootDSE and anonymous checks from acl_readAndrew Bartlett1-15/+0
The rootdse module handles rootDSE requests, and blocks anonymous access, so we on't need to do it again here. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Fri Nov 26 00:36:19 CET 2010 on sn-devel-104
2010-11-26s4-dsdb Add 'block anonymous' checks to the rootdse moduleAndrew Bartlett1-0/+100
This ensures that one single point checks for and blocks anonymous read access to the database over LDAP. Andrew Bartlett
2010-11-26s4-dsdb Remove mem_ctx argument from dsdb_module_find_dsheuristics().Andrew Bartlett2-4/+3
A function that does not return memory should not take a memory context. Andrew Bartlett
2010-11-25s4:lsa RPC server / objectclass LDB module - fix the creation of trusted ↵Matthias Dieter Wallnöfer1-7/+1
domain objects Tridge pointed out that it is to dangerous to allow them to be created with SYSTEM permissions. The solution using the "untrusted" flag should be much more viable. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Thu Nov 25 13:05:56 CET 2010 on sn-devel-104
2010-11-24s4:objectclass LDB module - LSA objects - allow them if the SYSTEM control ↵Matthias Dieter Wallnöfer1-3/+7
is specified This fits better than the RELAX one. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Wed Nov 24 18:23:01 CET 2010 on sn-devel-104
2010-11-24s4:objectclass LDB module - move one checks into the "objectclass derivation ↵Matthias Dieter Wallnöfer1-11/+17
loop" This denies objects created from possible derivated classes from the prohibited ones. Also small cosmetic improvements for another check.