summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb
AgeCommit message (Collapse)AuthorFilesLines
2013-10-14s4-samldb: Do not allow deletion of objects with RID < 1000Nadezhda Ivanova2-0/+6
According to [MS-SAMR] 3.1.5.7 Delete Pattern we should not allow deletion of security objects with RID < 1000. This patch will prevent deletion of well-known accounts and groups. Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date(master): Mon Oct 14 13:31:50 CEST 2013 on sn-devel-104
2013-10-10dsdb: Provide a clearer error when we fail to store the sequence number in ↵Andrew Bartlett1-6/+19
metadata.tdb Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-10-10s4:dsdb/rootdse: report 'dnsHostName' instead of 'dNSHostName'Stefan Metzmacher1-1/+1
The attribute on the RootDSE object is called 'dnsHostName' instead of 'dNSHostName' (which is used in the schema and on all other directory objects). Bug: https://bugzilla.samba.org/show_bug.cgi?id=10193 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-09-24Fix DN RDN case in partition namesHoward Chu3-31/+35
Move fix_dn from extended_dn_out.c to util.c Signed-off-by: Howard Chu <hyc@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com> Autobuild-User(master): Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date(master): Tue Sep 24 07:43:39 CEST 2013 on sn-devel-104
2013-09-23Fix entryCSN formatHoward Chu1-1/+7
Signed-off-by: Howard Chu <hyc@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-09-23Drop paged-search from OpenLDAP stackHoward Chu1-1/+1
Unnecessary, waste of time Signed-off-by: Howard Chu <hyc@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-09-23Add LDB_MAP_RENDROP optionHoward Chu1-1/+1
Like LDB_MAP_RENAME, but drop the attribute if it occurs in an Add request. Used for distinguishedName attribute, is read-only and generated but for some bizarre reason AD allows it in an Add request. Signed-off-by: Howard Chu <hyc@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-09-23Return a couple more attrs by defaultHoward Chu1-0/+2
Seems to want name and distinguishedName to always be returned. Signed-off-by: Howard Chu <hyc@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-09-19dsdb-repl_meta_data: Make handling of Deleted Objects DN clearer in deleteAndrew Bartlett1-5/+10
This code no longer needs to handle not renaming Deleted Objects during a re-delete, because it is no longer called in that case. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-19dsdb-repl_meta_data: Do not re-delete the Deleted Objects DN during replicationAndrew Bartlett1-3/+5
We need to ensure we do not re-delete the Deleted Objects DN during replication. It itself not entirely a deleted object, but has isDeleted set. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-19dsdb-repl_meta_data: Check for a NULL invocationID and do not proceedAndrew Bartlett1-0/+4
This can happen if we do not find the invocationID, with later patches. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-18Use SASL/EXTERNAL over ldapi://Howard Chu1-50/+78
The provision script will map the uid of the user running the script to the samba-admin LDAP DN. Signed-off-by: Howard Chu <hyc@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-09-18Add an OpenLDAP-specific extended_dn_in moduleHoward Chu2-5/+37
Don't "fix" plain DNs before sending them to OpenLDAP Signed-off-by: Howard Chu <hyc@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-09-17dsdb: Use credentials.get_forced_sasl_mech()Andrew Bartlett1-0/+1
This will allow us to force the use of only DIGEST-MD5, for example, which is useful to avoid hitting GSSAPI, SPNEGO or NTLM when talking to OpenLDAP and Cyrus-SASL. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com> Autobuild-User(master): Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date(master): Tue Sep 17 01:41:41 CEST 2013 on sn-devel-104
2013-09-16dsdb: Use dsdb_next_callback() rather than a no-op per-module callbackAndrew Bartlett1-38/+16
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-16dsdb: Add DSDB_SEARCH_ONE_ONLY support to dsdb_module_search*()Andrew Bartlett1-0/+13
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-11dsdb: When using an LDAP backend, force use of the password from secrets.ldbAndrew Bartlett1-0/+99
This makes testing from the command line much easier, as ldbsearch -H sam.ldb will now just work as well as it did with a tdb-based provision. This code was removed from it's previous location outside the ldb module stack in aabda85a2fc9f6763abd56d61ff819012f2225ad. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Autobuild-User(master): Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date(master): Wed Sep 11 21:15:50 CEST 2013 on sn-devel-104
2013-08-19samdb: Fix CID 1034910 Dereference before null checkVolker Lendecke1-3/+3
strncmp("tdb://", sam_name, 6) dereferences sam_name. Check for NULL before that. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-19samdb: Fix CID 1034910 Dereference before null checkVolker Lendecke1-3/+3
strncmp("tdb://", sam_name, 6) dereferences sam_name. Check for NULL before that. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-19samdb: Fix CID 1034910 Dereference before null checkVolker Lendecke1-3/+3
strncmp("tdb://", secrets_ldb, 6) dereferences secrets_ldb. Check for NULL before that. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-06drs-cracksname: fix problems that prevented to pass our torture testsMatthieu Patou1-6/+21
Some of the problems where also reported by Microsoft testing tools Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlett <abarlett@samba.org>
2013-08-06drs-crackname: Fix error code so that we have the same as windowsMatthieu Patou1-0/+1
Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlett <abarlett@samba.org>
2013-08-06drs-cracknames: When cracking NT4 names we should just look at netbios for ↵Matthieu Patou1-2/+1
the match Looking at dnsRoot will yield a result for domain.tld\username when it shouldn't work. Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlett <abarlett@samba.org>
2013-08-06drs-crackname: Fix cracknames for the format UNKNOWN when the data is ↵Matthieu Patou1-1/+4
actually a GUID The cannonical crackname expect a "/" or it returns DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR, when doing UNKNOWN format it's not an error to not have a "/" in the name to crack it's just a sign the name is not a cannonical one. Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlett <abarlett@samba.org>
2013-07-30dsdb: Include MS-ADTS doc references on deleted object contstraintsAndrew Bartlett1-0/+16
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-30dsdb: Improve DRS deleted link source/target handing in repl_meta_dataAndrew Bartlett1-8/+97
We now correctly ignore the link updates if the source or target is deleted locally. This fixes the long-standing failure in the vampire_dc dbcheck test. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
2013-07-30dsdb: Ensure we always force deleted objects back under the deleted objects DNAndrew Bartlett1-26/+65
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-30dsdb/repl_meta_data: split out replmd_deletion_state()Stefan Metzmacher1-31/+71
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-07-30dsdb: Prune deleted objects of links and extra attributes of replicated deletesAndrew Bartlett1-71/+199
When an object is deleted, the links to be removed are not propogated, you have to watch out for them manually! We do this by calling back into the originating update delete code (ie what is called if you ldb_delete() locally) so that any extra attribute found locally and not on the remote server becomes removed remotely too. We currently do the same with links, but that isn't strictly correct, but for now our getNCChanges server code filters these out, so only the usn is bumped. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-25dsdb/samdb: use RECYCLED it implies DELETED...Stefan Metzmacher2-3/+3
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2013-07-24dsdb-ridalloc: Rework ridalloc to return error strings where RID allocation ↵Andrew Bartlett1-15/+41
fails We now also only poke the RID manager once per request. This may help track down why RID allocation can fail, as while we never wait for the RID set to be created/updated, it may be the only clue the admin gets as to why the async allocations were failing. Andrew Bartlett Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-24dsdb: Rework subtree_rename module to use recursive LDB_SCOPE_ONELEVEL searchesAndrew Bartlett2-104/+99
This should be more efficient, particularly in the leaf node case when renaming and deleting entries on large databases. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-24dsdb-descriptor: Do not do a subtree search unless we have child entriesAndrew Bartlett1-1/+32
This avoids a subtree search here in most cases where an object is deleted. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-04dsdb-ridalloc: Fix RID pools - RID numbers increase too quicklyAndrew Bartlett1-1/+2
A patch by Cove Schneider <cove_s@yahoo.com> who reports: I noticed that the RID numbers seem to increase incrementally, then will suddenly jump by 124501. Unless I'm misunderstanding, shouldn't RID pool allocations just be 500 at a time? e.g. Adding accounts one after another on a single test instance here's how they're incrementing (from 4.0.6): 1596 1597 1598 1599 126100 126101 126102 ... 126599 251100 ... 251599 376100 ... The problem is that this complicates using sssd's AD integration, as that it doesn't expect the RIDs to increase in a single domain so quickly. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Jul 4 20:13:05 CEST 2013 on sn-devel-104
2013-06-19build: Build with system md5.h on OpenIndianaAndrew Bartlett1-1/+1
This changes (again...) our system md5 detection to cope with how OpenIndiana does md5. I'm becoming increasingly convinced this isn't worth our while (we should have just done samba_md5...), but for now this change seems to work on FreeBSD, OpenIndiana and Linux with libbsd. This needs us to rename struct MD5Context -> MD5_CTX, but we provide a config.h define to rename the type bad if MD5_CTX does not exist (it does however exist in the md5.h from libbsd). Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Jun 19 21:32:36 CEST 2013 on sn-devel-104
2013-06-13dsdb repl_meta_data: Use dsdb_request_add_controls()Andrew Bartlett1-18/+1
This makes the code easier to read. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Jun 13 11:15:01 CEST 2013 on sn-devel-104
2013-06-12dsdb: Fix behaviour for when to update the USN when there is no changeAndrew Bartlett1-6/+28
This handles deletions and replacements with no value, or with an exactly specified value, as well as modifies. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2013-06-11Revert "s4-dsdb: Remove strcasecmp() fallback in ↵Andrew Bartlett1-0/+7
replmd_ldb_message_element_attid_sort" This reverts commit d799b25dd3ed0f72ee03949225ba241c5538d7d6. Sometimes the schema just isn't right. A segfault is not the correct answer in those cases. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-06-10s4:samldb LDB module - MS-SAMR 3.1.1.8.10 "userAccountControl"Matthias Dieter Wallnöfer1-16/+66
"UF_LOCKOUT" and "UF_PASSWORD_EXPIRED" are never stored but rather are used for special semantics. "UF_LOCKOUT" performs an account lockout and "UF_PASSWORD_EXPIRED" forces password expiration. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Jun 10 07:32:35 CEST 2013 on sn-devel-104
2013-06-05s4:samldb LDB module - permit "userAccountControl" modifications without ↵Matthias Dieter Wallnöfer1-2/+26
acct. type Obviously this defaults to UF_NORMAL_ACCOUNT. Some background can be found in MS-SAMR section 3.1.1.8.10. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Jun 5 03:26:25 CEST 2013 on sn-devel-104
2013-06-05s4:samldb LDB module - "userAccountControl" = 0 means UF_NORMAL_ACCOUNT on addMatthias Dieter Wallnöfer1-3/+11
Windows Server 2008 has changed semantics in comparison to Server 2003. Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-28dsdb-repl_meta_data: Move TODO comment about conflicts and missing parentsAndrew Bartlett1-9/+4
Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue May 28 18:11:00 CEST 2013 on sn-devel-104
2013-05-28dsdb-repl_meta_data: Handle renames better, considering only the RDN as ↵Andrew Bartlett1-76/+141
given, and then the parent as given This ignores the full DN as given, because the parent compents might be out of date. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-28dsdb-linked_attributes: Do not crash if the target GUID can not be foundAndrew Bartlett1-0/+15
Note that we must not give an error when we cannot find the object that should hold the backlink, there really isn't anything we can do in this case. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-20Fix warning by setting the variable from GUID to const GUIDMatthieu Patou1-1/+2
Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-20Fix more unused varsMatthieu Patou1-2/+1
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-20Fix a warning about a set but unused variable by actually using itMatthieu Patou1-0/+5
Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-20operational: remove double loopsMatthieu Patou1-31/+47
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-16dsdb: Expand on what the error finding the ntSecurityDescriptor was in acl_readAndrew Bartlett1-2/+8
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-15source4/dsdb/samdb/ldb_modules/local_password.c: Fix typo in comment.Karolin Seeger1-1/+1
Signed-off-by: Karolin Seeger <kseeger@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>