summaryrefslogtreecommitdiff
path: root/source4/dsdb
AgeCommit message (Collapse)AuthorFilesLines
2013-08-06drs-cracksname: fix problems that prevented to pass our torture testsMatthieu Patou1-6/+21
Some of the problems where also reported by Microsoft testing tools Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlett <abarlett@samba.org>
2013-08-06drs-crackname: Fix error code so that we have the same as windowsMatthieu Patou1-0/+1
Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlett <abarlett@samba.org>
2013-08-06drs-cracknames: When cracking NT4 names we should just look at netbios for ↵Matthieu Patou1-2/+1
the match Looking at dnsRoot will yield a result for domain.tld\username when it shouldn't work. Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlett <abarlett@samba.org>
2013-08-06drs-crackname: Fix cracknames for the format UNKNOWN when the data is ↵Matthieu Patou1-1/+4
actually a GUID The cannonical crackname expect a "/" or it returns DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR, when doing UNKNOWN format it's not an error to not have a "/" in the name to crack it's just a sign the name is not a cannonical one. Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlett <abarlett@samba.org>
2013-07-30dsdb: Include MS-ADTS doc references on deleted object contstraintsAndrew Bartlett1-0/+16
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-30dsdb: Improve DRS deleted link source/target handing in repl_meta_dataAndrew Bartlett1-8/+97
We now correctly ignore the link updates if the source or target is deleted locally. This fixes the long-standing failure in the vampire_dc dbcheck test. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
2013-07-30dsdb: Ensure we always force deleted objects back under the deleted objects DNAndrew Bartlett1-26/+65
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-30dsdb/repl_meta_data: split out replmd_deletion_state()Stefan Metzmacher1-31/+71
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-07-30dsdb: Prune deleted objects of links and extra attributes of replicated deletesAndrew Bartlett1-71/+199
When an object is deleted, the links to be removed are not propogated, you have to watch out for them manually! We do this by calling back into the originating update delete code (ie what is called if you ldb_delete() locally) so that any extra attribute found locally and not on the remote server becomes removed remotely too. We currently do the same with links, but that isn't strictly correct, but for now our getNCChanges server code filters these out, so only the usn is bumped. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-25dsdb/samdb: use RECYCLED it implies DELETED...Stefan Metzmacher2-3/+3
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2013-07-24dsdb: Add assert in drepl_take_FSMO_roleAndrew Bartlett1-4/+3
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
2013-07-24dsdb-ridalloc: Rework ridalloc to return error strings where RID allocation ↵Andrew Bartlett1-15/+41
fails We now also only poke the RID manager once per request. This may help track down why RID allocation can fail, as while we never wait for the RID set to be created/updated, it may be the only clue the admin gets as to why the async allocations were failing. Andrew Bartlett Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-24dsdb: Rework subtree_rename module to use recursive LDB_SCOPE_ONELEVEL searchesAndrew Bartlett2-104/+99
This should be more efficient, particularly in the leaf node case when renaming and deleting entries on large databases. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-24dsdb-descriptor: Do not do a subtree search unless we have child entriesAndrew Bartlett1-1/+32
This avoids a subtree search here in most cases where an object is deleted. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-04dsdb-ridalloc: Fix RID pools - RID numbers increase too quicklyAndrew Bartlett1-1/+2
A patch by Cove Schneider <cove_s@yahoo.com> who reports: I noticed that the RID numbers seem to increase incrementally, then will suddenly jump by 124501. Unless I'm misunderstanding, shouldn't RID pool allocations just be 500 at a time? e.g. Adding accounts one after another on a single test instance here's how they're incrementing (from 4.0.6): 1596 1597 1598 1599 126100 126101 126102 ... 126599 251100 ... 251599 376100 ... The problem is that this complicates using sssd's AD integration, as that it doesn't expect the RIDs to increase in a single domain so quickly. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Jul 4 20:13:05 CEST 2013 on sn-devel-104
2013-06-19build: Build with system md5.h on OpenIndianaAndrew Bartlett1-1/+1
This changes (again...) our system md5 detection to cope with how OpenIndiana does md5. I'm becoming increasingly convinced this isn't worth our while (we should have just done samba_md5...), but for now this change seems to work on FreeBSD, OpenIndiana and Linux with libbsd. This needs us to rename struct MD5Context -> MD5_CTX, but we provide a config.h define to rename the type bad if MD5_CTX does not exist (it does however exist in the md5.h from libbsd). Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Jun 19 21:32:36 CEST 2013 on sn-devel-104
2013-06-13dsdb: remove a wrong comment in dsdb_check_access_on_dn_internal()Stefan Metzmacher1-4/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Jun 13 18:19:24 CEST 2013 on sn-devel-104
2013-06-13dsdb: don't allow a missing nTSecurityDescriptor in ↵Stefan Metzmacher1-3/+3
dsdb_get_sd_from_ldb_message() Every object has a nTSecurityDescriptor attribute. This also avoids potential segfaults in the callers. Signed-off-by: Stefan Metzmacher <metze@samba.org>
2013-06-13dsdb: use AS_SYSTEM | SHOW_RECYCLED for access check searchesStefan Metzmacher1-1/+7
We need AS_SYSTEM in order to get the nTSecurityDescriptor attribute. Also the result of this search not controlled by the client nor is the result exposed to the client. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-06-13dsdb repl_meta_data: Use dsdb_request_add_controls()Andrew Bartlett1-18/+1
This makes the code easier to read. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Jun 13 11:15:01 CEST 2013 on sn-devel-104
2013-06-12dsdb-tests ldap.py: Add test for usn behaviour on certain changesAndrew Bartlett1-54/+155
This probes when the usn is updated, and when it is not. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Jun 12 11:54:01 CEST 2013 on sn-devel-104
2013-06-12dsdb-tests ldap.py: Fix quoting of print statementsAndrew Bartlett1-10/+10
While python didn't mind (oddly) it really confused my editor. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-06-12dsdb: Fix behaviour for when to update the USN when there is no changeAndrew Bartlett1-6/+28
This handles deletions and replacements with no value, or with an exactly specified value, as well as modifies. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2013-06-12dsdb: Allow dsdb_find_dn_by_guid to show deleted DNsAndrew Bartlett4-7/+15
This helps us in the KCC as we need to return the deleted DN for the GUID in DsReplicaGetInfo calls (tested for deleted servers against Windows 2008R2). Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-06-11dsdb: reset schema->{classes,attributes}_to_remove_size to 0Stefan Metzmacher1-1/+3
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Jun 11 11:40:39 CEST 2013 on sn-devel-104
2013-06-11dsdb: use the correct talloc parent in dsdb_repl_merge_working_schema()Stefan Metzmacher1-2/+2
schema->{classes,attributes} are the DLIST pointer not an array. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-06-11Revert "s4-dsdb: Remove strcasecmp() fallback in ↵Andrew Bartlett1-0/+7
replmd_ldb_message_element_attid_sort" This reverts commit d799b25dd3ed0f72ee03949225ba241c5538d7d6. Sometimes the schema just isn't right. A segfault is not the correct answer in those cases. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-06-10s4:samldb LDB module - MS-SAMR 3.1.1.8.10 "userAccountControl"Matthias Dieter Wallnöfer2-17/+147
"UF_LOCKOUT" and "UF_PASSWORD_EXPIRED" are never stored but rather are used for special semantics. "UF_LOCKOUT" performs an account lockout and "UF_PASSWORD_EXPIRED" forces password expiration. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Jun 10 07:32:35 CEST 2013 on sn-devel-104
2013-06-05s4:samldb LDB module - permit "userAccountControl" modifications without ↵Matthias Dieter Wallnöfer2-2/+58
acct. type Obviously this defaults to UF_NORMAL_ACCOUNT. Some background can be found in MS-SAMR section 3.1.1.8.10. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Jun 5 03:26:25 CEST 2013 on sn-devel-104
2013-06-05s4:samldb LDB module - "userAccountControl" = 0 means UF_NORMAL_ACCOUNT on addMatthias Dieter Wallnöfer2-21/+37
Windows Server 2008 has changed semantics in comparison to Server 2003. Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-28dsdb-repl_meta_data: Move TODO comment about conflicts and missing parentsAndrew Bartlett1-9/+4
Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue May 28 18:11:00 CEST 2013 on sn-devel-104
2013-05-28dsdb-repl_meta_data: Handle renames better, considering only the RDN as ↵Andrew Bartlett1-76/+141
given, and then the parent as given This ignores the full DN as given, because the parent compents might be out of date. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-28dsdb-linked_attributes: Do not crash if the target GUID can not be foundAndrew Bartlett1-0/+15
Note that we must not give an error when we cannot find the object that should hold the backlink, there really isn't anything we can do in this case. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-23dsdb-repl: merge the logic from libnet_vampire_cb_apply_schema()Stefan Metzmacher1-6/+113
This way libnet_vampire_cb_apply_schema() is able to use dsdb_repl_resolve_working_schema(). Pair-Programmed-With: Matthieu Patou <mat@matws.net> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-23dsdb-repl: split out dsdb_repl_resolve_working_schemaStefan Metzmacher1-53/+94
This can be reused later in other places. Pair-Programmed-With: Matthieu Patou <mat@matws.net> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-23dsdb-drs: when replicating schema object checks ask for removal of previous ↵Matthieu Patou1-3/+4
version if exists (bug #8680) Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-23dsdb-schema: make deduplication of class and schema possible (bug #8680)Matthieu Patou3-10/+113
When a class or an attribute is replicated it might already exists in the existing schema, so while replicating the new version of this object we want to get rid of the old version of the object is the current validating schema so that we don't end up having duplicates. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Matthieu Patou <mat@matws.net> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-23dsdb-schema: schema_fill_possible_inferiors() should rebuild everthingStefan Metzmacher1-2/+2
commit cd7f3fd07215a7b8372b6b623faed02ae1310cb1 reverted the change of commit c2853f55fc603d4875bb1e50a1cbf409df0421ea. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-20Fix warning by setting the variable from GUID to const GUIDMatthieu Patou1-1/+2
Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-20Fix more unused varsMatthieu Patou1-2/+1
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-20Fix a warning about a set but unused variable by actually using itMatthieu Patou1-0/+5
Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-20Fix warnings about set but unused variablesMatthieu Patou2-10/+1
Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-20operational: remove double loopsMatthieu Patou1-31/+47
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-20dsdb-schema: remove looping on all schema classes for system_possible_inferriorMatthieu Patou1-34/+19
The logic to populate possible inferriors and system possible inferriors is the same so instead of looping twice we do both attributes (depending on the type of the class) in the same loop Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-17s4:dsdb python tests - set the executable flagMatthias Dieter Wallnöfer2-0/+0
Reviewed-by: Matthieu Patou <mat@samba.org> Autobuild-User(master): Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date(master): Fri May 17 15:11:29 CEST 2013 on sn-devel-104
2013-05-16dsdb: Expand on what the error finding the ntSecurityDescriptor was in acl_readAndrew Bartlett1-2/+8
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-16dsdb-schema: Print clear debug message when we find a OID in our local DB we ↵Andrew Bartlett1-0/+1
cannot convert We need to work out why we are unable to make a mapping for an OID in our database, because we should not have been able to add it without such a mapping. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-16dsdb-repl: Allow the name attribute (and name-based schema lookups) to be ↵Andrew Bartlett1-12/+19
skipped in dsdb_repl_make_working_schema() This allows us to use a schema that may only be valid for attributeID based lookups, during the schema load. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-15source4/dsdb/schema/schema_convert_to_ol.c: Fix typo in comment.Karolin Seeger1-1/+1
Signed-off-by: Karolin Seeger <kseeger@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2013-05-15source4/dsdb/samdb/ldb_modules/local_password.c: Fix typo in comment.Karolin Seeger1-1/+1
Signed-off-by: Karolin Seeger <kseeger@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>