Age | Commit message (Collapse) | Author | Files | Lines |
|
This approach just asks the tdb backend to handle the single valued
constraint for us
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
different if the P flag is set.
Autobuild-User: Nadezhda Ivanova <nivanova@samba.org>
Autobuild-Date: Thu Feb 10 12:31:34 CET 2011 on sn-devel-104
|
|
thi ensures we are using the header corresponding to the version of
ldb we're linking against. Otherwise we could use the system ldb for
link and the in-tree one for include
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc. This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.
The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.
Andrew Barltett
|
|
|
|
This both checks that the levels make sense, and they match what they
should be based on in the DB.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Feb 2 06:09:53 CET 2011 on sn-devel-104
|
|
The issue here is that when the samdb calls were removed, this call
relied on going back to the top of the module stack, so as to re-enter
the rootDSE search handler. It makes more sense to check the @ROOTDSE
record directly, and therefore not to invoke the search() handler
during the init.
Andrew Bartlett
|
|
This exact form of the construction is important, and we match on it
in the installation scripts.
Andrew Bartlett
|
|
errors.
Autobuild-User: Nadezhda Ivanova <nivanova@samba.org>
Autobuild-Date: Fri Jan 28 12:04:01 CET 2011 on sn-devel-104
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Jan 25 13:09:41 CET 2011 on sn-devel-104
|
|
into "objectclass_attrs" LDB module
LSA object classes are protected on both LDAP add and LDAP modify
operations, so I've refactored the previous check in the objectclass LDB
module only for LDAP adds in a new one in the objectclass_attrs LDB
module for both adds and modifies.
This is the result of the investigations done by Hongwei Sun and I in
the last months.
Interestingly these protection mechansim doesn't apply on LDAP deletes!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
metadata stamps are equal
Autobuild-User: Kamen Mazdrashki <kamenim@samba.org>
Autobuild-Date: Sat Jan 22 12:22:30 CET 2011 on sn-devel-104
|
|
|
|
If object is changed by same DC, then version should be incremented
|
|
This makes everything reference a server_info->sids list, which is now
a struct dom_sid *, not a struct dom_sid **. This is in keeping with
the other sid lists in the security_token etc.
In the process, I also tidy up the talloc tree (move more structures
under their logical parents) and check for some possible overflows in
situations with a pathological number of sids.
Andrew Bartlett
|
|
The input to gensec.update() should always be a string.
Andrew Bartlett
|
|
This confirms that the groups obtained from a Kerberos PAC match those
that a manual search of a target LDAP server would reveal.
This should allow mixing of a KDC specified by krb5.conf to test Samba
or Windows alternatly.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Jan 19 13:13:48 CET 2011 on sn-devel-104
|
|
Andrew Bartlett
|
|
Autobuild-User: Nadezhda Ivanova <nivanova@samba.org>
Autobuild-Date: Tue Jan 18 15:53:46 CET 2011 on sn-devel-104
|
|
dsdb_module_search()
this ensures we follow the module stack, and set the parent on child
requests
|
|
this preserves the request hierarchy for dsdb_module_*() calls inside
dsdb ldb modules
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Use the temporary list unless we have at least the three main
"namingContexts" from the rootDSE available (Default, Configuration, Schema -
these are mandatory on all AD deployments!).
This bug has been discovered by Nadya in relation with her SD work.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Jan 15 19:01:11 CET 2011 on sn-devel-104
|
|
The LSA object creation protection changed to the trusted/untrusted
connection model.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Jan 14 19:30:52 CET 2011 on sn-devel-104
|
|
"UF_ACCOUNTDISABLE" is only added automatically if no "userAccountControl" flags
are set on LDAP add operations.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Jan 14 18:29:07 CET 2011 on sn-devel-104
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Fri Jan 14 07:23:31 CET 2011 on sn-devel-104
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
we should be using the dsdb_module_search*() calls
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this avoids using a multi-part extended DN in a search that hits the
check in extended_dn_in
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
builtin groups are shown in user tokenGroups searches
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this tests that the remote tokenGroups match the internally calculated
ones
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this DN we have came from an extended DN search, which means it may
have multiple extended components. We need to minimise the DN before
AD will accept it
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this checks that the number of extended components in a DN is valid,
to match MS AD behaviour. We need to do this to ensure that our tools
don't try to do operations that will be invalid when used against MS
servers
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This removes a silly cross-dependency between the ldb moudle stack and auth/
Andrew Bartlett
|
|
|
|
Autobuild-User: Nadezhda Ivanova <nivanova@samba.org>
Autobuild-Date: Tue Jan 11 12:10:25 CET 2011 on sn-devel-104
|
|
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Thu Jan 6 16:07:49 CET 2011 on sn-devel-104
|
|
|
|
|
|
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Thu Dec 23 22:49:41 CET 2010 on sn-devel-104
|
|
Just for consistency.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Thu Dec 23 21:46:38 CET 2010 on sn-devel-104
|
|
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Wed Dec 22 13:05:53 CET 2010 on sn-devel-104
|
|
Test setting spn on RWDC, RODC and regular computer object.
Autobuild-User: Nadezhda Ivanova <nivanova@samba.org>
Autobuild-Date: Wed Dec 22 12:20:24 CET 2010 on sn-devel-104
|
|
If this right is granted to a user, they may modify the SPN of an object with some value restrictions
serviceName can be set only if the object is a DC, and then only to the default domain and netbios name, or ntds_guid._msdsc_.forest_domain. If the serviceType is GC, only to the forest root domain. If the serviceType is ldap, then to forest_domain or netbiosname.
InstanceType can be samAccountName or dnsHostName.
|
|
|
|
We now just do or do not call into LDB based on some flags.
This means there may be some more link time dependencies, but we seem
to deal with those better now.
Andrew Bartlett
|
|
This reverts a previous move to have this based around the auth
subsystem, which just spread auth deps all over unrelated code.
Andrew Bartlett
|
|
These local TDB operations can quite safely be handled in a new/nested
event context, rather than using the main event context.
Andrew Bartlett
|