Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
Use it only in conjunction with the DELETE one to allow the functions to work
also against Windows < 2008R2. This is really important for the vampire
operation.
Also mark the RECYCLED control as non-critical (so that it's simply ignored by
older Windows'es).
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Mon Oct 4 16:10:11 UTC 2010 on sn-devel-104
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Let us do the distinction by real use and provision by the RELAX flag
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
And relax some more object creations due to the enforced system flags rules.
|
|
- Integrate the ldap.py delete protection testing code and enhance it
- Demonstrate the DISALLOW_MOVE_ON_DELETE system flag
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
We intend to see always all objects with the "show_deleted" control specified.
To see also recycled objects (beginning with 2008_R2 function level) we need to
use the new "show_recycled" control.
As far as I see this is only internal code and therefore we don't run into
problems if we do substitute it.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
This is needed since starting with 2008_R2 function level we get another type
of hidden objects which aren't seen by the "show_deleted" control: recycled
objects.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
This is needed if the SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE flag was specified
and the parent is renamed.
To be able to do this we also need to relax the constraint checks (using the
"isDeleted" proof).
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
MS-ADTS 3.1.1.3.4.1 and MS-ADTS 3.1.1.5.5
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE flag
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
The deleted objects (tombstones, recycled & deleted objects) are handled by
"repl_meta_data".
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
This is what Windows does
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
A typo prevented the right behaviour.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Do this as in "dsdb_dn_is_upgraded_link_val". There is really no reason to
truncate before search.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 3 10:45:39 UTC 2010 on sn-devel-104
|
|
|
|
A part was missing
|
|
|
|
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sun Oct 3 04:51:44 UTC 2010 on sn-devel-104
|
|
|
|
by using samba.tests.connect_samdb() helper
|
|
this is required when talking to RODCs (for notify calls), and is good
practice for all DCs
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this is more efficient than first searching for the DN, then doing a
search. We should look at using this in lots of existing code
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
we need to ensure we only ever compare USNs from the same originating
invocation ID.
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sat Oct 2 01:45:19 UTC 2010 on sn-devel-104
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
we could use old_el after the base message had been re allocated, due
to adding timestamps. We need to re-find the element before using it
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
It is more useful to fail the transaction and give the user an error
message than to assert when we have an error in the repl_meta_data
module
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
otherwise we don't get the secrets!
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
we use the ADD_REF bit in getncchanges instead
Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
|
|
we were incorrectly avoiding a getncchanges when WRIT_REP was not set
Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
|
|
if our calculated replica_flags doesn't match the ones in our repsFrom
then update it
Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
|
|
when we setup the krbtgt_NNNN account using the DCPROMO_OID control,
we also need to set an initial password for this account
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
A RODC cannot assume a role, and unwillingToPerform must be
returned if such request is sent via LDAP
|
|
this will be used outside of the drs server.
This also fixes the handling of the ndr_size elements of the
drs_ObjectIdentifier
|
|
|
|
If we don't we could show an old, incrorrect error
|
|
This simplifies the function. While doing so, also change the error
string setting to set a really clear error string for the failure to find
and failure to parse cases.
Andrew Bartlett
|
|
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
|
|
samdb_find_ntdsguid_for_computer()
these will be used by the new RODC dns update code
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
log level 0 is excessive for this!
|
|
It is the same as ldb_request_add_control, except it will replace
an existing control.
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Mon Sep 27 19:00:38 UTC 2010 on sn-devel-104
|
|
It is currently enabled only if the request comes from the LDAP server, and is
disabled by default. Use acl:search=true in smb.conf to enable it.
It filters out all objects the user is not allowed to see, and all attributes
the user does not have RP on. Extended access not supported yet.
|
|
The ACL reach tests are in the knowfail because aclread module is not
enabled by default
|
|
againts Windows
These tests will fail in make test as well if the acl_read module is enabled.
|
|
Similar to dsdb_check_access_on_dn, only it searches by guid.
|