summaryrefslogtreecommitdiff
path: root/source4/dsdb
AgeCommit message (Collapse)AuthorFilesLines
2010-10-05heimdal: Fix name of hx509 library.Jelmer Vernooij2-2/+2
2010-10-04s4:dsdb/common/util.c - change the usage of the RECYCLED controlMatthias Dieter Wallnöfer1-1/+4
Use it only in conjunction with the DELETE one to allow the functions to work also against Windows < 2008R2. This is really important for the vampire operation. Also mark the RECYCLED control as non-critical (so that it's simply ignored by older Windows'es). Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Mon Oct 4 16:10:11 UTC 2010 on sn-devel-104
2010-10-03s4:ldap.py - test allowed system flags restrictionMatthias Dieter Wallnöfer1-1/+16
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-03s4:objectclass LDB module - introduce allowed system flags restrictionMatthias Dieter Wallnöfer1-6/+11
Let us do the distinction by real use and provision by the RELAX flag Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-03s4:urgent_replication.py - fix up the system flags handlingMatthias Dieter Wallnöfer1-4/+3
And relax some more object creations due to the enforced system flags rules.
2010-10-03s4:deletetest.py - enhance the testsMatthias Dieter Wallnöfer1-21/+216
- Integrate the ldap.py delete protection testing code and enhance it - Demonstrate the DISALLOW_MOVE_ON_DELETE system flag Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-03s4:ldap.py - remove the delete testsMatthias Dieter Wallnöfer1-92/+0
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-03s4:dsdb - substitute the "show_deleted" with the "show_recycled" controlMatthias Dieter Wallnöfer11-24/+30
We intend to see always all objects with the "show_deleted" control specified. To see also recycled objects (beginning with 2008_R2 function level) we need to use the new "show_recycled" control. As far as I see this is only internal code and therefore we don't run into problems if we do substitute it. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-03s4:dsdb/common/util.c - introduce "DSDB_SEARCH_SHOW_RECYCLED" flagMatthias Dieter Wallnöfer2-0/+8
This is needed since starting with 2008_R2 function level we get another type of hidden objects which aren't seen by the "show_deleted" control: recycled objects. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-03s4:subtree_rename LDB module - also already deleted objects have to be renamedMatthias Dieter Wallnöfer1-2/+13
This is needed if the SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE flag was specified and the parent is renamed. To be able to do this we also need to relax the constraint checks (using the "isDeleted" proof). Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-03s4:show_deleted LDB module - also support the "show_recycled" controlMatthias Dieter Wallnöfer1-11/+62
MS-ADTS 3.1.1.3.4.1 and MS-ADTS 3.1.1.5.5 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-03s4:repl_meta_data LDB module - consider the ↵Matthias Dieter Wallnöfer1-10/+25
SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE flag Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-03s4:subtree_delete LDB module - it is only responsible for non-deleted objectsMatthias Dieter Wallnöfer1-2/+1
The deleted objects (tombstones, recycled & deleted objects) are handled by "repl_meta_data". Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-03s4:objectclass LDB module - fix the "crossRef" delete protectionMatthias Dieter Wallnöfer1-3/+9
This is what Windows does Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-03s4:objectclass LDB module - fix the delete behaviour of server containersMatthias Dieter Wallnöfer1-2/+2
A typo prevented the right behaviour. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-03s4:dsdb_dn_val_rmd_flags - memmem - scan the whole string for occourencesMatthias Dieter Wallnöfer1-1/+1
Do this as in "dsdb_dn_is_upgraded_link_val". There is really no reason to truncate before search. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Oct 3 10:45:39 UTC 2010 on sn-devel-104
2010-10-03s4:ldap.py - delete the right object after test completitionMatthias Dieter Wallnöfer1-1/+1
2010-10-03s4:ldap.py - fix "system only" testMatthias Dieter Wallnöfer1-0/+8
A part was missing
2010-10-03s4:acl_read LDB module - fix counter typeMatthias Dieter Wallnöfer1-1/+2
2010-10-03s4-kcc: silence "Testing kcctpl_create_intersite_connections" messageAndrew Tridgell1-1/+1
Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Sun Oct 3 04:51:44 UTC 2010 on sn-devel-104
2010-10-03s4-test-dsdb_schema_info.py: Get rid of global module variablesKamen Mazdrashki1-17/+19
2010-10-03s4-test-dsdb_schema_info.py: Simplify connection SamDBKamen Mazdrashki1-19/+3
by using samba.tests.connect_samdb() helper
2010-10-01s4-repl: use the GC principal name for DRS replication connectionAndrew Tridgell3-6/+76
this is required when talking to RODCs (for notify calls), and is good practice for all DCs Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-01s4-dsdb: added dsdb_search_by_dn_guid()Andrew Tridgell1-0/+26
this is more efficient than first searching for the DN, then doing a search. We should look at using this in lots of existing code Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-02s4-drs: fixed comparison login in replicated renamesAndrew Tridgell1-45/+72
we need to ensure we only ever compare USNs from the same originating invocation ID. Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Sat Oct 2 01:45:19 UTC 2010 on sn-devel-104
2010-10-02s4-kcc: remove stale repsTo entries in the KCCAndrew Tridgell1-0/+32
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-01s4-rpmd: fixed a use after realloc bugAndrew Tridgell1-2/+8
we could use old_el after the base message had been re allocated, due to adding timestamps. We need to re-find the element before using it Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-01s4-dsdb: fail the transaction instead of asserting on errorAndrew Tridgell1-2/+10
It is more useful to fail the transaction and give the user an error message than to assert when we have an error in the repl_meta_data module Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-30s4-rodc: don't set SPECIAL_SECRET_PROCESSING on EXOP_REPL_SECRETAndrew Tridgell1-0/+3
otherwise we don't get the secrets! Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-30s4-dsdb: silence the domainFunctionality not setup warningAndrew Tridgell1-1/+2
2010-09-29s4-drepl: don't call UpdateRefs on a RODCAndrew Tridgell1-5/+11
we use the ADD_REF bit in getncchanges instead Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
2010-09-29s4-drepl: fixed the checking of replica_flags in the drepl serverAndrew Tridgell1-7/+0
we were incorrectly avoiding a getncchanges when WRIT_REP was not set Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
2010-09-29s4-kcc: fixed the replica_flags in repsFrom in the kccAndrew Tridgell1-31/+72
if our calculated replica_flags doesn't match the ones in our repsFrom then update it Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
2010-09-29s4-samldb: also set a password on the krbtgt_NNNN accountAndrew Tridgell1-0/+11
when we setup the krbtgt_NNNN account using the DCPROMO_OID control, we also need to set an initial password for this account Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-29s4-rodc: RODC should not accept requests for role transferNadezhda Ivanova1-0/+12
A RODC cannot assume a role, and unwillingToPerform must be returned if such request is sent via LDAP
2010-09-28s4-drs: moved the drs_ObjectIdentifier handling to dsdb_dn.cAndrew Tridgell1-0/+42
this will be used outside of the drs server. This also fixes the handling of the ndr_size elements of the drs_ObjectIdentifier
2010-09-28s4-dsdb: adapted check_access_on_dn for use in drs.Nadezhda Ivanova1-9/+10
2010-09-29s4-dsdb Add ldb_reset_err_string() when we set error codes.Andrew Bartlett2-0/+4
If we don't we could show an old, incrorrect error
2010-09-29s4-dsdb Make samdb_reference_dn() use dsdb_search() and DSDB_SEARCH_ONE_ONLYAndrew Bartlett1-7/+8
This simplifies the function. While doing so, also change the error string setting to set a really clear error string for the failure to find and failure to parse cases. Andrew Bartlett
2010-09-29s4-dsdb Fix segfault in error case in rootdse moduleAndrew Bartlett1-1/+4
2010-09-27s4-dns: implemented RODC DNS update in dns update taskAndrew Tridgell1-0/+199
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-27s4-ldb: removed an unused variableAndrew Tridgell1-1/+0
2010-09-27s4-kcc: fixed a incorrect context to kcctpl_get_all_bridgehead_dcsAndrew Tridgell1-1/+1
2010-09-27s4-dsdb: added samdb_find_site_for_computer() and ↵Andrew Tridgell1-0/+57
samdb_find_ntdsguid_for_computer() these will be used by the new RODC dns update code Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-27s4-kcc: don't print "Testing kcctpl_create_intersite_connections"Andrew Tridgell1-1/+1
log level 0 is excessive for this!
2010-09-27s4-ldb: Added ldb_request_replace_controlNadezhda Ivanova1-1/+1
It is the same as ldb_request_add_control, except it will replace an existing control. Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Mon Sep 27 19:00:38 UTC 2010 on sn-devel-104
2010-09-26s4-ldbmodules: Added new module aclread to handle access checks on LDAP searchNadezhda Ivanova4-0/+327
It is currently enabled only if the request comes from the LDAP server, and is disabled by default. Use acl:search=true in smb.conf to enable it. It filters out all objects the user is not allowed to see, and all attributes the user does not have RP on. Extended access not supported yet.
2010-09-26s4-tests: Added tests for search checks on attributesNadezhda Ivanova1-5/+100
The ACL reach tests are in the knowfail because aclread module is not enabled by default
2010-09-26s4-tests: Removed search tests with anonymous credentials as they fail ↵Nadezhda Ivanova1-1/+1
againts Windows These tests will fail in make test as well if the acl_read module is enabled.
2010-09-26s4-dsdb: Added a function to check access on a particular object by its guidNadezhda Ivanova1-0/+37
Similar to dsdb_check_access_on_dn, only it searches by guid.