summaryrefslogtreecommitdiff
path: root/source4/dsdb
AgeCommit message (Collapse)AuthorFilesLines
2011-07-13pydsdb: added get_backlink_from_lDAPDisplayName()Andrew Tridgell1-0/+45
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
2011-07-13s4-dsdb: moved checking of duplicate member entries to repl_meta_data.cAndrew Tridgell2-35/+20
the samldb checks failed to account for the possibility of a member being removed and added in the same modify operation. This happens (for example) when dbcheck is fixing a SID in a DN. The repl_meta_data.c code already has this check, it just wasn't giving the right specialised error code for the 'member' attribute Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
2011-07-11dsdb: added get_lDAPDisplayName_by_attidAndrew Tridgell1-0/+33
this allows conversion from a DRS attribute ID to a LDAP display name Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com> Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-07-11s4-dirsync: do not return linked attribute if the target object is no moreMatthieu Patou1-0/+29
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-11s4-dsdb: allow objectsid to be specified in a modification operationMatthieu Patou1-3/+5
if we have the provision control, it's used by dbcheck Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-11s4-python: Add functions to get linkid and systemflags of an attributeMatthieu Patou1-0/+68
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-11s4-dsdb: if the provision control is specified, update replication metadata ↵Matthieu Patou1-1/+7
even if the data hasn't change Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-11s4-dsdb: when replacing linked attribute take always the new dn as the old ↵Matthieu Patou1-1/+1
dn might be broken The usual use case is that you have a not complete linked attribute (ie. without the SID) if we keep using the old dn, then the SID will never be added. Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-11s4-dsdb: check for single valued attribute in repl_meta_data moduleMatthieu Patou1-0/+11
This is needed because we can have more than 1 value in a single valued attribute as we store also deleted values. So we do the check in repl_meta_data and then indicate LDB to do the check. Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-11s4-dsdb: deleted objects are expected to be missing mandatory attributesAndrew Tridgell1-1/+2
the objectclass_attrs validation that an object contains all mandatory attributes is incorrect for deleted objects, as they get stripped of some mandatory attributes when deleted (for example, objectCategory gets stripped) Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
2011-07-11s4-dsdb: fixed crash bug in extended_dn_inAndrew Tridgell1-2/+4
when extended_dn_in fails to resolve a GUID extended DN component, the debug code assumed that it was a search operation, and accessed ac->req->op.search.base, which is not valid for non-search DN expansions. Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
2011-07-05s4-dsdb: allow removal of unknown attributes if RELAX setAndrew Tridgell2-2/+21
this allows attributes not known in the schema to be removed if the caller has set the RELAX control. This will be used by dbcheck to allow cleaning of bad attributes from the database
2011-07-01s4-dsdb guard principalName parse for invalid inputsAndrew Bartlett1-1/+6
We need to ensure that if this parses name.name_string as just one val, then we don't read uninitialised and possibly unallocated memory. Found by Adam Thorn <alt36@cam.ac.uk> While we are checking that, we need to fix the strncasecmp() check to first check if the string is the expected length, then check for a match against sAMAccountName-without-doller, as otherwise we will permit a string such as machinefoo to match a sAMAccountName of machine. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Fri Jul 1 03:55:00 CEST 2011 on sn-devel-104
2011-07-01s4-dsdb Allow a servicePrincipalName of machine$Andrew Bartlett1-0/+6
This is pointless, but MacOS X (version 10.6.8 was tested) apparently sets machine$ into this field. Andrew Bartlett
2011-06-22s4-schema: avoid segfaulting if id3.guid is NULLMatthieu Patou1-2/+1
2011-06-22s4-dsdb: bypass validation when relax setAndrew Tridgell1-1/+2
this allows dbcheck to fix bad attributes Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Wed Jun 22 12:27:06 CEST 2011 on sn-devel-104
2011-06-22s4-dsdb: prioritise GUID in extended_dn_inAndrew Tridgell1-8/+11
if we search with a base DN that has both a GUID and a SID, then use the GUID first. This matters for the S-1-5-17 SID. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-06-22s4-dsdb: catch duplicate matches in extended_dn_inAndrew Tridgell1-0/+12
When searching using extended DNs, if there are multiple matches then return an object not found error. This is needed for the case of a duplicate objectSid, which happens for S-1-5-17 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-06-22pydsdb: added get_syntax_oid_from_lDAPDisplayName()Andrew Tridgell1-0/+40
this gives you access to the syntax oid of an attribute Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-06-22s4-dsdb: don't add zero GUID to BINARY_DNAndrew Tridgell1-9/+11
When converting from DRS to ldb format for a BINARY_DN, don't add the GUID extended DN element if the GUID is all zeros. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-06-20libcli/util Rename common map_nt_error_from_unix to avoid duplicate symbolAndrew Bartlett1-4/+4
The two error tables need to be combined, but for now seperate the names. (As the common parts of the tree now use the _common function, errmap_unix.c must be included in the s3 autoconf build). Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Jun 20 08:12:03 CEST 2011 on sn-devel-104
2011-06-20libcli/util Bring samba4 unix -> nt_status code in common.Andrew Bartlett1-1/+1
Due to library link orders, this is already the function that is being used. However we still need to sort out the duplicate symbol issues, probably by renaming things. Andrew Bartlett
2011-06-17s4-dsdb: if we don't have a remote schema, then use the local oneAndrew Tridgell1-2/+8
this allows the use of drsuapi_to_ldb() on all attributes for the local database
2011-06-17s4-pydsdb: added dsdb_normalise_attributes() callAndrew Tridgell1-0/+104
this call converts a set of attributes to DRSUAPI format and back to ldb format. This has the effect of normalising the attributes using the schema syntax rules
2011-06-10s4-drs: ensure we add a RMD_ADDTIME when upgrading a linked attributeAndrew Tridgell1-1/+2
if the link was a w2k style, and we are upgrading it, then set the RMD_ADDTIME to the current time
2011-06-10s4-drs: cope with missing RMD_ADDTIME in linked attributesAndrew Tridgell1-1/+1
upgraded links can be missing the RMD_ADDTIME field
2011-06-09s4:schema_convert_to_ol.c - fix memory contextsMatthias Dieter Wallnöfer1-3/+13
- Add more "mem_ctx" free functions on error cases - Steal the "out" string directly onto the LDB context to be able to free the local "mem_ctx" Reviewed-by: Tridge
2011-06-09s4:dsdb/schema_convert_to_ol.c - quiet enum warningMatthias Dieter Wallnöfer1-0/+9
Introduce a error message when choosing wrong targets. Reviewed-by: Tridge
2011-06-07s4-dsdb: cope with missing backlinks in rpmd handlingAndrew Tridgell1-1/+10
if backlinks have not propogated correctly in a previous replication this allows us to recover
2011-06-06s4-param Remove 'sid generator'Andrew Bartlett1-9/+5
This was only used by the Fedora DS backend for Samba4. We agreed to no longer support external LDAP backends. Andrew Bartlett
2011-06-06s4-param Remove 'sam database' parameterAndrew Bartlett1-1/+1
This now just relies on the private dir parameter, which remains. Andrew Bartlett
2011-05-25s4:samldb LDB module - check if the RODC group exists if creating an RODCMatthias Dieter Wallnöfer1-13/+43
Older AD deployments simply don't have it and hence there is no RODC support. Reviewed-by: abartlet Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Wed May 25 10:26:37 CEST 2011 on sn-devel-104
2011-05-25s4:samldb LDB module - better to call "samldb_prim_group_trigger"Matthias Dieter Wallnöfer1-1/+1
"samldb_prim_group_trigger" which as a wrapper calls "samldb_prim_group_change" for a LDB modify operation. Reviewed-by: abartlet
2011-05-25s4:samldb LDB module - convert a "dsdb_module_search" into ↵Matthias Dieter Wallnöfer1-5/+2
"dsdb_module_search_dn" It saves us from checking the number of returned entries. Reviewed-by: abartlet
2011-05-25s4:sam.py - uncomment/enhance some account type testsMatthias Dieter Wallnöfer1-30/+48
Reviewed-by: abartlet
2011-05-25s4:samldb LDB modules - only objectClass "computer" is allowed to embed all ↵Matthias Dieter Wallnöfer1-3/+33
types of account Reviewed-by: abartlet
2011-05-25s4:sam.py - tests for "isCriticalSystemObject" attributeMatthias Dieter Wallnöfer1-0/+132
Reviewed-by: abartlet
2011-05-25s4:samldb LDB module - fix "isCriticalSystemObject" behaviourMatthias Dieter Wallnöfer1-3/+22
Tests against Windows Server show that it gets set to "FALSE" (not deleted) if we change the account type to a domain member. Reviewed-by: abartlet
2011-05-25s4:sam.py - unchanged "primaryGroupID" when account type remains the sameMatthias Dieter Wallnöfer1-0/+38
Enhance the testcase with a workstation example. Reviewed-by: abartlet
2011-05-25s4:samldb LDB module - fix the behaviour when changing the "userAccountControl"Matthias Dieter Wallnöfer1-14/+31
Ekacnet was not quite right yet but his patch made me think further. This primary group changing is only needed if the account type changes. With this patch we do one more search if the "userAccountControl" changes but we save us from doing these unneeded and wrong modify replace operations most of the time. Reviewed-by: abartlet
2011-05-21s4:sam.py - add tests to check that setting "userAccountValue" on usersdon't ↵Matthieu Patou1-2/+40
impact the "primaryGroupID" attribute Notice: The domain administrators groups isn't referenced as "Domain Admins" since this name could differ. Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sat May 21 19:19:57 CEST 2011 on sn-devel-104
2011-05-21s4:samldb LDB module - don't change the "primaryGroupId" on LDB ↵Matthieu Patou1-1/+16
modifications unless we are a computer/dc/rodc Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
2011-05-21s4:ldb-samba/ldb_wrap.*-dsdb/samdb/samdb.c - handle LDB connection flags as ↵Matthias Dieter Wallnöfer1-1/+1
unsigned The LDB API ("ldb_connect") prescribes that they should be "unsigned". Signed-off-by: Metze
2011-05-21s4-dsdb: add unit tests for dirsync controlMatthieu Patou1-0/+713
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-05-21s4-dsdb: implementation of the dirsync controlMatthieu Patou3-0/+1369
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-05-21s4-dsdb: introduce dsdb_module_search_treeMatthieu Patou1-24/+63
With this function your own search tree can be specified This function is similar to ldb_build_search_req_ex as it allows to pass a parse tree structure. Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-05-21s4-dsdb: relax a bit the checks on read acl when dirsync control is specifiedMatthieu Patou1-12/+42
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-05-21s4-dsdb: create flag for requesting ACL relax in case of DIRSYNC requestMatthieu Patou1-0/+1
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-05-21s4: do not change the critical flag when it's on a dirsync controlMatthieu Patou1-1/+5
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-05-11s4/drepl_fsmo: Add an CR so that message is visible in the logsKamen Mazdrashki1-1/+1
Autobuild-User: Kamen Mazdrashki <kamenim@samba.org> Autobuild-Date: Wed May 11 21:03:59 CEST 2011 on sn-devel-104