Age | Commit message (Collapse) | Author | Files | Lines |
|
This function is used in DRSUpdateRefs() implementation where we
get DSA's objectGUID rather than invocationId
|
|
as client site
metze
|
|
call samba_spnupdate at the same time as samba_spnupdate
|
|
We are counting LDB objects here -> therefore "unsigned"
|
|
client address
The lookup of the client site is done using the subnets in the configuration
partition. If no one matches we use the Windows Server fallback mechansim.
This means: if only one site is available just use it. If they're more set the
output variable to "".
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
The 0xc0002104/WERR_DS_DRA_NO_REPLICA seems to be spurious, and can be
avoided by setting DRSUAPI_DRS_SYNC_ALL in the DsReplicaSync request.
We need to investigate this further, and find out from MS why this is
sometimes being sent, even when the target DC has the right repsFrom
entries
|
|
This is based on the documentation: "the KCC will automatically create
the Reps-To attributes on destination DSAs based on other DSAs
Reps-From entries."
|
|
use hasMasterNCs to see what NCs we should be pulling from each DC
|
|
getting older attributes is quite common
|
|
this prevents the queue being stuck on failure
|
|
otherwise the queue is stuck forever
|
|
we rely on the highestUSN counters instead. W2K8 does not resend
DsUpdateRefs each time, and the WSPP docs do not indicate that repsTo
should be deleted
|
|
these partitions and not on the server we are replicating from. Also
check for deleted partitions.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Needed for RID allocation
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
DN links outside the set of partitions we are replication should be
allowed.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
generated named.conf.update
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This is used for allowing operations by RODCs, and denying them
operations that should only be allowed for a full DC
This required a new domain_sid argument to
security_session_user_level()
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Rusty Russell <rusty@samba.org>
|
|
This test is in the wrong place. We end up validating our own flags.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
this validates that a invocationID matches an account sid
This will be used to ensure that we don't allow DRS replication
from someone a non-DC or administrator
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This will be used by the RODC code
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This means we are only doing the checks for schema changes
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This patch fits the calling to the new samdb_rodc() function and
fix a little bug in this function.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This function is intended to check if some client is not lying about
his flags. At this moment, it only checks for RODC flags.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This patch creates the samdb_is_rodc() function, which looks for
the NTDSDSA object for a DC that has a specific invocationId
and if msDS-isRODC is present on such object and it is TRUE, then
consider the DC as a RODC.
The new samdb_rodc() function uses the samdb_is_rodc() function
for the local server.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
The SIDs in some queries were not being passed as binary, but as
strings in comparison with the securityIdentifer object. We need to
recognise that these are SIDs in the simple_ldap_map.
Andrew Bartlett
|
|
This is rather than rdn_name, which tries to do the job on the client
side. We need to leave this module in the stack for Fedora DS (and of
course the LDB backend).
Andrew Bartlett
|
|
In the future, LDAP backends will be resposible for maintaining the
'name' attributes.
Andrew Bartlett
|
|
w2k8r2 sends a revision of zero in the initial schema replication
during a net vampire
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
By putting these values into the cache on the LDB, this reduces some
of the noise in provision, particularly with the LDAP backend.
Andrew Bartlett
|
|
|
|
|
|
metze
|
|
typos.
|
|
This function is mainly to help decoding replPropertyMetaData in python
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
|
|
|
|
The first is the forest base DN, the second the domain base DN. At the moment
we assume that they are both the same but it hasn't to be so.
Nadia, I would invite you to fix the outstanding parts regarding this (I added
comments).
|
|
domainname
|
|
"samdb_schema_dn"
They aren't needed anymore.
|
|
We should use the "ldb_get_*_basedn" calls since they are available in the LDB
library.
|
|
|
|
Purely cosmetic change.
|
|
|
|
Upstream subunit makes a ":" after commands optional, so I've fixed any
places where we might trigger commands accidently. I've filed a bug
about this in subunit.
|
|
|
|
The use of 'replace' is enough to wipe out the old value, whatever it
is, we don't need to set 'permissive modify' too.
Additionally, this seems to be causing trouble for the OpenLDAP backend
Andrew Bartlett
|
|
|