summaryrefslogtreecommitdiff
path: root/source4/dsdb
AgeCommit message (Collapse)AuthorFilesLines
2013-05-16dsdb: Expand on what the error finding the ntSecurityDescriptor was in acl_readAndrew Bartlett1-2/+8
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-16dsdb-schema: Print clear debug message when we find a OID in our local DB we ↵Andrew Bartlett1-0/+1
cannot convert We need to work out why we are unable to make a mapping for an OID in our database, because we should not have been able to add it without such a mapping. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-16dsdb-repl: Allow the name attribute (and name-based schema lookups) to be ↵Andrew Bartlett1-12/+19
skipped in dsdb_repl_make_working_schema() This allows us to use a schema that may only be valid for attributeID based lookups, during the schema load. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-15source4/dsdb/schema/schema_convert_to_ol.c: Fix typo in comment.Karolin Seeger1-1/+1
Signed-off-by: Karolin Seeger <kseeger@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2013-05-15source4/dsdb/samdb/ldb_modules/local_password.c: Fix typo in comment.Karolin Seeger1-1/+1
Signed-off-by: Karolin Seeger <kseeger@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2013-05-15dsdb-drepl: create a new schedulable event for running pending operationsMatthieu Patou3-1/+79
So instead of running dreplsrv_periodic_schedule when receiving a DRS_REPLICA_SYNC request which will force the DC to look for changes with all the DC it usually replicate to, we reduce it to the DC specified in the DRS_REPLICA_SYNC request. It will allow also to do have the correct options as set by the client who send the DRS_REPLICA_SYNC. Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-14dsdb: make the name of non related class more obviousMatthieu Patou1-2/+3
Signed-off-by: Matthieu Patou <mat@matws.net> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-04-19s4:dsdb: Fix warnings about not set / set but unused / shadowed variablesMatthieu Patou7-20/+5
Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Apr 19 13:15:40 CEST 2013 on sn-devel-104
2013-03-05dsdb: Check for pointers before we deference them.Andreas Schneider1-7/+7
Reviewed-by: David Disseldorp <ddiss@samba.org>
2013-02-22dsdb-descriptor: Avoid segfault copying an SD without an owner or groupAndrew Bartlett1-4/+12
This is an unusual SD, but it does exist is some very old upgraded databases. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Feb 22 11:06:17 CET 2013 on sn-devel-104
2013-02-22dsdb-descriptor: Spell out security descriptor flags as constantsAndrew Bartlett2-2/+2
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-02-20ntdb: switch between secrets.tdb and secrets.ntdb depending on 'use ntdb'Rusty Russell1-3/+10
Since we open with dbwrap, it auto-converts old tdbs (which it will rename to secrets.tdb.bak once it's done). Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Rusty Russell <rusty@rustcorp.com.au> Autobuild-Date(master): Wed Feb 20 07:09:19 CET 2013 on sn-devel-104
2013-02-08dsdb-operational: rework the loop for attribute removalMatthieu Patou1-41/+92
Instead of doing ldb_in_list size(operational_remove) * (attrs_user + attr_searched) * number of entries times to get the list of attributes to remove we construct this list before the search and then use it for every entries. Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-02-08dsdb-repl: make message more clearerMatthieu Patou1-2/+2
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-02-08replmetadata: raise msg level for conflict resolution so that we don't ↵Matthieu Patou1-2/+2
polute logs Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-02-08dsdb-repl: do not ask to add ref when doing getncchange for an exopMatthieu Patou1-0/+7
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-02-08dsdb-cracknames: Fix potential double free and memory leaksMatthieu Patou1-2/+4
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-02-04dsdb/util: rework samdb_check_password() to support utf8Stefan Metzmacher1-5/+16
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2013-02-04dsdb/password_hash: rename variable 'stat' to 'vstat'Stefan Metzmacher1-5/+5
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2013-02-04dsdb/password_hash: make sure that io->n.cleartext_utf8.data is a null ↵Stefan Metzmacher1-0/+23
terminated string Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2013-01-27dsdb-descriptor: get_default_group() should always return the DAG sid (bug ↵Stefan Metzmacher1-5/+10
#9481) Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27tests/sec_descriptor: the default owner behavior depends on ↵Stefan Metzmacher1-4/+4
domainControllerFunctionality (bug #9481) Not on the domainFunctionality. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-23dsdb-acl: remove unused variableStefan Metzmacher1-1/+0
Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Jan 23 20:04:09 CET 2013 on sn-devel-104
2013-01-22drepl-notify: change misleading messageMatthieu Patou1-1/+1
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb: Fix warning about unused varMatthieu Patou1-2/+0
Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Mon Jan 21 17:51:16 CET 2013 on sn-devel-104
2013-01-21dsdb: Explain ordering constraints on the ACL module as well.Andrew Bartlett1-2/+2
Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb: Ensure "authenticated users" is processed for group membershipsAndrew Bartlett2-31/+25
This change moves the addition of "Authenticated Users" from the very end of the token processing to the start. The reason is that we need to see if "Authenticated Users" is a member of other builtin groups, just as we would for any other SID. This picks up the "Pre-Windows 2000 Compatible Access" group, which is in turn often used in ACLs on LDAP objects. Without this change, the eventual token does not contain S-1-5-32-554 and users other than "Administrator" are unable to read uidNumber (in particular). Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21libcli/security: handle node initialisation in one spot in ↵Andrew Bartlett2-11/+10
insert_in_object_tree() This removes special-case for initalising the children array in insert_in_object_tree(). talloc_realloc() handles the intial allocate case perfectly well, so there is no need to have this duplicated. This also restores having just one place were the rest of the elements are intialised, to ensure uniform behaviour. To do this, we have to rework insert_in_object_tree to have only one output variable, both because having both root and new_node as output variables was too confusing, and because otherwise the two pointers were being allowed to point at the same memory. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: the SEC_ADS_DELETE_CHILD checks need objectclass->schemaIDGUIDStefan Metzmacher1-2/+7
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: make use of acl_check_access_on_objectclass() for the object in ↵Stefan Metzmacher1-6/+50
acl_delete() We should only use dsdb_module_check_access_on_dn() on the parent. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: make use of acl_check_access_on_{attribute,objectclass} in ↵Stefan Metzmacher1-47/+43
acl_rename() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: make use of acl_check_access_on_attribute() in acl_modify()Stefan Metzmacher1-44/+16
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: remove unused acl_check_access_on_class()Stefan Metzmacher1-46/+0
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: use acl_check_access_on_objectclass() instead of ↵Stefan Metzmacher1-8/+13
acl_check_access_on_class() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: Use the structural objectClass in acl_check_access_on_attribute()Andrew Bartlett1-16/+16
This commit enters the GUID into the object tree so that that access rights assigned to the structural objectClass are also available, as well as rights assigned to the attribute property groups. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: Pass the structural objectClass into acl_check_access_on_attributeAndrew Bartlett3-20/+57
This will, when the GUID is entered into the object tree (not in this commit) ensure that access rights assigned to the structural objectClass are also available, as well as rights assigned to the attribute property groups. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: Remove unused get_oc_guid_from_message()Andrew Bartlett1-19/+0
Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: ask for the objectClass attribute if it's not in the scope of the ↵Andrew Bartlett1-1/+16
clients search This will be used later. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: use dsdb_get_structural_oc_from_msg() rather than ↵Andrew Bartlett1-8/+7
class_schemaid_guid_by_lDAPDisplayName This uses dsdb_get_last_structural_objectclass(), which encodes this ordering knowledge in one place in the code, rather than using this uncommented magic expression: (char *)oc_el->values[oc_el->num_values-1].data Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: Use dsdb_get_structural_oc_from_msg() in acl_rename()Andrew Bartlett1-12/+14
Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: Use dsdb_get_structural_oc_from_msg() in acl_modify()Andrew Bartlett1-8/+10
Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: add acl_check_access_on_objectclass() helperStefan Metzmacher1-0/+39
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: Add helper function dsdb_get_structural_oc_from_msg()Andrew Bartlett1-0/+13
This will eventually replace get_oc_guid_from_message(), returning the full dsdb_class. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: attr is not optional to acl_check_access_on_attribute()Stefan Metzmacher1-25/+24
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: dsdb_attribute_by_lDAPDisplayName() is needed for all attributesStefan Metzmacher1-16/+18
"clearTextPassword" is the only exception. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: introduce a 'el' helper variable to acl_modify()Stefan Metzmacher1-12/+11
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-acl: introduce a 'msg' helper variable to acl_modify()Stefan Metzmacher1-20/+20
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-schema: make sure we build [system]PossibleInferiors completelyStefan Metzmacher1-0/+4
Otherwise callers like dsdb_schema_copy_shallow() will corrupt the talloc hierarchie. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-schema: make sure use clean caches in schema_inferiors.cStefan Metzmacher2-28/+32
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dsdb-schema: make schema_subclasses_order_recurse() staticStefan Metzmacher1-3/+3
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>