summaryrefslogtreecommitdiff
path: root/source4/dsdb
AgeCommit message (Collapse)AuthorFilesLines
2012-11-30s4:dsdb/descriptor: if the caller specifies no DACL/SACL the objects gets a ↵Stefan Metzmacher1-1/+28
default one Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: give SYSTEM the correct default owner (group) sidStefan Metzmacher1-0/+6
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl_read: enable acl checking on search by default (bug #8620)Stefan Metzmacher2-2/+2
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl_read: specify the correct access_mask for nTSecurityDescriptorStefan Metzmacher1-1/+19
We need to base the access mask on the given SD Flags. Originally, we always checked for SEC_FLAG_SYSTEM_SECURITY, which could lead to INSUFFICIENT_RIGHTS when we should have been allowed to read. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl_read: do search for instanceType AS_SYSTEM and with SHOW_RECYCLEDStefan Metzmacher1-1/+3
Note that SHOW_RECYCLED implies SHOW_DELETED. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl: calculate the correct access_mask when modifying ↵Stefan Metzmacher1-1/+14
nTSecurityDescriptor The access_mask depends on the SD Flags. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl: don't protect confidential attributes when "acl:search = yes" ↵Stefan Metzmacher1-0/+11
is set In that case the acl_read module does the protection. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl: remove unused "acl:perform" optionStefan Metzmacher1-3/+0
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl: do helper searches AS_SYSTEM and with SHOW_RECYCLEDStefan Metzmacher1-5/+15
The searches are done in order to do access checks and the results are not directly exposed to the client. Note that SHOW_RECYCLED implies SHOW_DELETED. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: make it clear that the SD Flags are ignored on addStefan Metzmacher1-1/+7
See [MS-ADTS] 6.1.3.2 SD Flags Control: ... When performing an LDAP add operation, the client can supply an SD flags control with the operation; however, it will be ignored by the server. ... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: make use of dsdb_request_sd_flags()Stefan Metzmacher1-47/+15
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: always use descriptor_search_callback if we return ↵Stefan Metzmacher1-1/+12
nTSecurityDescriptor If the nTSecurityDescriptor is explicitly specified without the SD Flags control we should go through descriptor_search_callback(). This is not strictly needed at the moment, but makes the code clearer and might avoid surprises in the future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/descriptor: do searches for nTSecurityDescriptor AS_SYSTEM and with ↵Stefan Metzmacher1-11/+12
SHOW_RECYCLED Note that SHOW_RECYCLED implies SHOW_DELETED. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl_util: add dsdb_request_sd_flags() helper functionStefan Metzmacher1-0/+37
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/acl_util: do helper searches AS_SYSTEMStefan Metzmacher1-0/+1
The search is done in order to do access checks. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/extended_dn_store: do helper searches AS_SYSTEMStefan Metzmacher1-1/+3
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/extended_dn_in: do helper searches AS_SYSTEM and with SHOW_RECYCLEDStefan Metzmacher1-12/+13
Note that SHOW_RECYCLED implies SHOW_DELETED. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/objectclass: do helper searches AS_SYSTEM and with SHOW_RECYCLEDStefan Metzmacher1-3/+31
Note that SHOW_RECYCLED implies SHOW_DELETED. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/rootdse: do helper searches AS_SYSTEMStefan Metzmacher1-7/+29
As anonymous users can read all rootdse attributes, we should do helper searches with DSDB_FLAG_AS_SYSTEM in order to avoid unnecessary access checks. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/rootdse: remove unused variableStefan Metzmacher1-1/+0
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/dirsync: explicitly ask for sdctr->secinfo_flags = 0xFStefan Metzmacher1-2/+2
A value of 0 is mapped to 0xF. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/dirsync: use the correct nc_root to fetch replUpToDateVectorStefan Metzmacher1-3/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/dirsync: check result of replUpToDateVector fetch on nc_rootStefan Metzmacher1-0/+4
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-30s4:dsdb/schema_data: fix debug message in schema_data_modify()Stefan Metzmacher1-1/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-16dsdb: Make secrets_tdb_sync cope with -H secrets.ldbAndrew Bartlett1-2/+3
The issue was, without a / in the path, we did not cope. Andrew Bartlett Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-12s4:dsdb/acl_read: make sure confidential attributes require CONTROL_ACCESS ↵Stefan Metzmacher1-0/+4
(bug #8620) Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Nov 12 01:25:21 CET 2012 on sn-devel-104
2012-11-12s4:dsdb/acl_read: fix whitespace formatting errorsStefan Metzmacher1-124/+128
Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12s4:dsdb/acl: only give administrators access to attributes marked as ↵Stefan Metzmacher1-0/+87
confidential (bug #8620) The full fix will to implement and use the code of the read_acl module, but this is better than nothing for now. Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12s4:dsdb/acl: reorganize the logic flow in the password filtering checksStefan Metzmacher1-54/+92
This avoids some nesting levels and does early returns. Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12s4:dsdb/acl: fix search filter cleanup for password attributesStefan Metzmacher1-1/+1
We need to this when we're *not* system. Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-06ldb_secrets_tdb_sync: Add dependency on gssapi.Jelmer Vernooij1-1/+1
This is required when building with the system heimdal, as gssapi/gssapi_spnego.h is included. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Nov 6 05:12:28 CET 2012 on sn-devel-104
2012-11-06dsdb: Rename _res argument to _result.Jelmer Vernooij1-6/+6
Newer versions of heimdal include a macro that is unfortunately named '_res'. This change prevents the clash. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-11-06dsdb: Simplify DsCrackNameOneFilter a bitVolker Lendecke1-1/+4
For me "else" branches clutter my flow reading code. If we do a hard return at the end of an "if" branch, "else" is not required. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-10-25dsdb-cracknames: Return DRSUAPI_DS_NAME_STATUS_NO_MAPPING when there is no SIDAndrew Bartlett1-3/+7
If there is no SID for an object being mapped, then there is no NT4 name. We need to return DRSUAPI_DS_NAME_STATUS_NO_MAPPING rather than error out with anything other than WERR_OK as the return value. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Oct 25 04:43:25 CEST 2012 on sn-devel-104
2012-10-24dsdb-cracknames: Always use talloc_zero()Andrew Bartlett1-1/+1
Otherwise, we will return un-initialised values to the caller, which will attempt to push them onto the wire. Found by Greg Dickie <greg@justaguy.ca>. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Oct 24 05:12:04 CEST 2012 on sn-devel-104
2012-10-07s4-repl: make dreplsrv_partition_find_for_nc return BAD_NC onlyMatthieu Patou1-2/+7
2012-10-07drs-replica-info: level_not_supported is wrong when we do support (partialy ↵Matthieu Patou1-9/+13
the level)
2012-10-07drs-crackname: if there is no sid do not return the domainMatthieu Patou1-0/+2
2012-10-07Implement the LIST_INFO_FOR_SERVER input formatMatthieu Patou1-0/+107
2012-09-01s4-dsdb: Remove unused variablesAndrew Bartlett1-3/+0
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Sep 1 05:10:47 CEST 2012 on sn-devel-104
2012-09-01s4-dsdb: Remove unused tmp_ctx leaked onto long-term ldb_contextAndrew Bartlett1-2/+0
This was found based on a log provided by Ricky Nance <ricky.nance@weaubleau.k12.mo.us>. Thanks Ricky! Andrew Bartlett
2012-08-28s4-dsdb: Remove double-free in update_keytab moduleAndrew Bartlett1-2/+0
2012-08-28s4-dsdb: Add secrets_tdb_sync - an ldb module to keep secrets.tdb in syncAndrew Bartlett3-0/+539
secrets_tdb_sync is a new ldb module designed to sync secrets.ldb entries with the secrets.tdb file. While not ideal to keep two copies of this data, this routine will assist in allowing the samba-tool domain join code to operate correctly in most cases where winbindd and smbd are used. Andrew Bartlett
2012-08-23s4-dsdb: Remove unused variablesAndrew Bartlett1-5/+0
2012-08-23s4-dsdb: Do not use a possibly-old loadparm context in schema reloadAndrew Bartlett3-19/+18
The loadparm context on the schema DB might have gone away already. Pre-cache the schema refresh interval at load time to avoid worrying about this. Andrew Bartlett
2012-08-22s4:samldb LDB module - remove unused "member" attribute from search filterMatthias Dieter Wallnöfer1-1/+1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-08-22s4:dsdb - always fail if a search filter could not be parsedMatthias Dieter Wallnöfer1-0/+3
A NULL string/expression returns the generic "(objectClass=*)" filter Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-08-22s4:dsdb_sort_objectClass_attr - simplify memory context handlingMatthias Dieter Wallnöfer3-37/+23
Do only require the out memory context and build the temporary one in the body of the function. This greatly simplifies the callers. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-08-22s4:dsdb_sort_objectClass_attr - use "data_blob_string_const" for setting valuesMatthias Dieter Wallnöfer1-6/+1
As shown in commit c8e6d8b487 this looks easier and in any case we can treat schema context data like global data. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-08-17s4-dsdb: Use tmp_ctx in kccsrv_check_deleted to avoid leaking memory onto ↵Andrew Bartlett1-6/+11
part->dn The confusing use of do_dn as a memory context while legitimate created a bug when it was copied and modified to search on a DN from long-term state. By always using a temporary memory context it is clear what paramter is the memory context. This was found based on a log provided by Ricky Nance <ricky.nance@weaubleau.k12.mo.us>. Thanks Ricky! Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Aug 17 18:24:10 CEST 2012 on sn-devel-104
generated by cgit (git 2.34.1) at 2024-11-16 23:56:55 +0000