Age | Commit message (Collapse) | Author | Files | Lines | |
---|---|---|---|---|---|
2010-09-11 | libcli/security Use talloc_zero when making a struct security_token | Andrew Bartlett | 1 | -2/+0 | |
2010-09-11 | s4-privs Seperate rights and privileges | Andrew Bartlett | 1 | -2/+6 | |
These are related, but slightly different concepts. The biggest difference is that rights are not enumerated as a system-wide list. This moves the rights to security.idl due to dependencies. Andrew Bartlett | |||||
2010-09-11 | libcli/security make sec_privilege_id() return SEC_PRIV_INVALID on failure. | Andrew Bartlett | 1 | -1/+1 | |
Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org> | |||||
2010-09-10 | s4/fsmo: Change return type from NTSTATUS to WERROR for drepl_takeFSMOrole | Anatoliy Atanasov | 1 | -2/+3 | |
This removed an unnecessary conversion of the return type in drepl_take_FSMO_role. | |||||
2010-09-10 | s4-fsmo: update FSMO changes for recent IRPC work | Andrew Tridgell | 1 | -4/+10 | |
the IRPC API has changed Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> | |||||
2010-09-10 | s4-ldap: Added support for FSMO role transfer via LDAP by modify on rootDSE | Nadezhda Ivanova | 1 | -1/+46 | |
GetNCChanges with the corresponding extended operation is initiated and added to the queue when a modify request is received on becomeSchemaMaster, becomeRidMaster, becomeNamingMaster, becomeInfrastructureMaster and becomePDC attributes in rootDSE. | |||||
2010-09-09 | s4-dsdb Change debug levels for startup messages | Andrew Bartlett | 2 | -10/+10 | |
We should make the 'common' error not show up, but the unusal case fatal. Andrew Bartlett | |||||
2010-09-05 | dsdb: make the ATTRIBUTE NOT FOUND more clear | Matthieu Patou | 1 | -0/+3 | |
2010-09-04 | dsdb: Add missing dependencies for dsdb ldb modules. | Jelmer Vernooij | 1 | -2/+2 | |
2010-09-02 | s4:dsdb Fix attribute being searched for in dereference against Fedora DS | Andrew Bartlett | 1 | -1/+1 | |
The problem here is that these attributes are not mapped in the simple_ldap_map, and they were changed a while back. Andrew Bartlett | |||||
2010-09-02 | s4:dsdb Make the dereference control critical if input is critical | Andrew Bartlett | 1 | -1/+3 | |
This helps us ensure that the backend knows about and respects the dereference control if our caller has asked that the extended DN control be considered critical. Andrew Bartlett | |||||
2010-09-02 | s4:dsdb Don't reload the schema against OpenLDAP backend | Andrew Bartlett | 2 | -3/+13 | |
The schema should be considered read-only when we are using the OL backend, as we can't update the backend schema in real time anyway. Andrew Bartlett | |||||
2010-08-27 | s4-dsdb: Fixed a compiler warning. | Nadezhda Ivanova | 1 | -1/+0 | |
2010-08-26 | s4:dsdb_module_find_dsheuristics - free the "DN" also on other exit cases | Matthias Dieter Wallnöfer | 1 | -0/+2 | |
2010-08-26 | s4-dsdb: Removed an unnecessary space in dsdb_module_find_dsheuristics() | Nadezhda Ivanova | 1 | -1/+1 | |
2010-08-26 | s4-dsdb: Added utility functions for retrieving dSHeuristics from the module ↵ | Nadezhda Ivanova | 1 | -0/+47 | |
stack Also a function to check dsHeuristics value to determine of anonymous access should be blocked | |||||
2010-08-23 | s4:security Change struct security_token->sids from struct dom_sid * to ↵ | Andrew Bartlett | 5 | -29/+26 | |
struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett | |||||
2010-08-20 | s4-dsdb: the RODC_JOIN control also changes samAccountName | Andrew Tridgell | 1 | -9/+13 | |
when adding a user with the RODC_JOIN control, the samAccountName is automatically set to the krbtgt_NNNNN form Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> | |||||
2010-08-19 | s4: fix few comment typos | Kamen Mazdrashki | 1 | -2/+2 | |
2010-08-19 | s4-dsdb: Use dsdb_syntax_ctx in *_validate_ldb functions | Kamen Mazdrashki | 1 | -1/+5 | |
2010-08-18 | s4:auth Change {anonymous,system}_session to use common session_info generation | Andrew Bartlett | 1 | -2/+4 | |
This also changes the primary group for anonymous to be the anonymous SID, and adds code to detect and ignore this when constructing the token. Andrew Bartlett | |||||
2010-08-18 | s4:security Remove use of user_sid and group_sid from struct security_token | Andrew Bartlett | 3 | -6/+6 | |
This makes the structure more like Samba3's NT_USER_TOKEN | |||||
2010-08-17 | s4:password_hash LDB module - perform the adaptions to understand the new ↵ | Matthias Dieter Wallnöfer | 1 | -8/+26 | |
password change control | |||||
2010-08-17 | s4:acl LDB module - support password changes over the ↵ | Matthias Dieter Wallnöfer | 1 | -1/+15 | |
DSDB_CONTROL_PASSWORD_CHANGE_OID control This control is used from the SAMR and "kpasswd" password changes. It is strictly private and means "this is a password change and not a password set". | |||||
2010-08-17 | s4:DSDB - DSDB_CONTROL_PASSWORD_CHANGE_OID - add a structure as value to the ↵ | Matthias Dieter Wallnöfer | 1 | -0/+5 | |
control This contains the NT and/or LM hash of the password specified by the user. | |||||
2010-08-17 | s4:DSDB - rename the "DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID" | Matthias Dieter Wallnöfer | 2 | -9/+8 | |
Rename it to "DSDB_CONTROL_PASSWORD_CHANGE_OID". This control will afterwards contain a record with the specified old password as NT and/or LM hash. | |||||
2010-08-17 | s4-dsdb: check the type of session_info from the opaque | Andrew Tridgell | 1 | -2/+2 | |
we saw a crash with a bad pointer here, and this may help track it down Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> | |||||
2010-08-17 | s4-dsdb: added support for UF_PARTIAL_SECRETS_ACCOUNT | Andrew Tridgell | 1 | -2/+9 | |
when this is in user_account_control the account is a RODC, and we need to set the primaryGroupID to be DOMAIN_RID_READONLY_DCS Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> | |||||
2010-08-17 | s4-dsdb: cope with cracknames of form dnsdomain\account | Andrew Tridgell | 1 | -2/+8 | |
this is used by w2k8r2 when doing a RODC dcpromo Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> | |||||
2010-08-17 | s4-dsdb: set LDB_FLAG_INTERNAL_DISABLE_VALIDATION for msDS-SecondaryKrbTgtNumber | Andrew Tridgell | 1 | -1/+8 | |
msDS-SecondaryKrbTgtNumber is setup with a value that is outside the range allowed by the schema (the schema has rangeLower==rangeUpper==65536). We need to mark this element as being internally generated to avoid the range checks Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> | |||||
2010-08-17 | s4-ldb: added LDB_FLAG_INTERNAL_DISABLE_VALIDATION | Andrew Tridgell | 1 | -7/+9 | |
When this flag is set on an element in an add/modify request then the normal validate_ldb() call that checks the element against schema constraints is disabled Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> | |||||
2010-08-17 | s4-ldb: use LDB_FLAG_MOD_TYPE() to extract element type from messages | Andrew Tridgell | 4 | -15/+15 | |
The flags field of message elements is part of a set of flags. We had LDB_FLAG_MOD_MASK for extracting the type, but it was only rarely being used (only 1 call used it correctly). This adds LDB_FLAG_MOD_MASK() to make it more obvious what is going on. This will allow us to use some of the other flags bits for internal markers on elements Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> | |||||
2010-08-17 | s4-dsdb: support LDB_CONTROL_RODC_DCPROMO_OID for nTDSDSA add | Andrew Tridgell | 1 | -1/+24 | |
this control disables the system only check for nTDSDSA add operations Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> | |||||
2010-08-17 | s4-dsdb: fixed test for LDB_CONTROL_RODC_DCPROMO_OID | Andrew Tridgell | 1 | -1/+1 | |
the ldb_msg_add_fmt() call returns LDB_SUCCESS on success | |||||
2010-08-17 | s4-dsdb: added support for LDB_CONTROL_RODC_DCPROMO_OID | Andrew Tridgell | 1 | -0/+69 | |
this control adds a unique msDS-SecondaryKrbTgtNumber attribute to a user object. There is some 'interesting' interaction with the rangeLower and rangeUpper attributes and this add. We don't implementat rangeLower/rangeUpper yet, but when we do we'll need an override for this control (or be careful about module ordering). Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> | |||||
2010-08-15 | s4:password_hash LDB module - introduce the extended LDAP error codes on the ↵ | Matthias Dieter Wallnöfer | 1 | -43/+72 | |
important failure cases | |||||
2010-08-15 | s4:password_hash LDB module - support this new password set syntax | Matthias Dieter Wallnöfer | 1 | -2/+10 | |
2010-08-15 | s4:password_hash LDB module - allow to compare against both NT and LM hashes ↵ | Matthias Dieter Wallnöfer | 1 | -10/+1 | |
on password change operations This is to match the SAMR password change behaviour. | |||||
2010-08-15 | s4:subtree_rename.c - relax the checks when requested | Matthias Dieter Wallnöfer | 1 | -0/+5 | |
(Needed by upgradeprovision for example) | |||||
2010-08-14 | s4:password_hash LDB module - improve an error message | Matthias Dieter Wallnöfer | 1 | -2/+2 | |
2010-08-14 | s4:password_hash LDB module - implement the SAMR behaviour when checking old ↵ | Matthias Dieter Wallnöfer | 1 | -5/+16 | |
passwords Sooner or later this module should take over all password change actions. | |||||
2010-08-14 | s4:password_hash LDB module - fix wrong error codes | Matthias Dieter Wallnöfer | 1 | -4/+4 | |
To match the passwords.py test | |||||
2010-08-10 | s4:objectclass LDB module - weak the check for the "rIDSet" delete constraint | Matthias Dieter Wallnöfer | 1 | -8/+10 | |
Perform it only when a "rIDSet" does exist. Requested by ekacnet for "upgradeprovision". | |||||
2010-08-07 | s4:objectclass LDB module - "add operation" - enhance and clean the ↵ | Matthias Dieter Wallnöfer | 1 | -8/+20 | |
"systemFlags" section Also here we have to test for single-valueness. | |||||
2010-08-07 | s4:objectclass LDB module - "add operation" - implement "objectCategory" ↵ | Matthias Dieter Wallnöfer | 1 | -5/+34 | |
validation | |||||
2010-08-07 | s4:objectclass LDB module - "add operation" - reject creation of LSA ↵ | Matthias Dieter Wallnöfer | 1 | -0/+8 | |
specific objects (only using the RELAX flag allowed) | |||||
2010-08-07 | s4:objectclass LDB module - "add operation" - move two checks | Matthias Dieter Wallnöfer | 1 | -17/+12 | |
To be more consistent with the MS-ADTS doc. | |||||
2010-08-07 | s4:objectclass LDB module - "add operation" - deny multiple "objectclass" ↵ | Matthias Dieter Wallnöfer | 1 | -5/+14 | |
message elements Requested by MS-ADTS 3.1.1.5.2.2 | |||||
2010-08-07 | s4:objectclass LDB module - "add" operation - free "mem_ctx" as soon as possible | Matthias Dieter Wallnöfer | 1 | -4/+2 | |
We don't need to have it around until the end of the function. | |||||
2010-08-04 | s4:LDB modules - remove the "kludge_acl" module code | Matthias Dieter Wallnöfer | 1 | -516/+0 | |
Obviously this has been forgotten by Nadya. |