summaryrefslogtreecommitdiff
path: root/source4/dsdb
AgeCommit message (Collapse)AuthorFilesLines
2012-11-16dsdb: Make secrets_tdb_sync cope with -H secrets.ldbAndrew Bartlett1-2/+3
The issue was, without a / in the path, we did not cope. Andrew Bartlett Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-12s4:dsdb/acl_read: make sure confidential attributes require CONTROL_ACCESS ↵Stefan Metzmacher1-0/+4
(bug #8620) Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Nov 12 01:25:21 CET 2012 on sn-devel-104
2012-11-12s4:dsdb/acl_read: fix whitespace formatting errorsStefan Metzmacher1-124/+128
Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12s4:dsdb/acl: only give administrators access to attributes marked as ↵Stefan Metzmacher1-0/+87
confidential (bug #8620) The full fix will to implement and use the code of the read_acl module, but this is better than nothing for now. Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12s4:dsdb/acl: reorganize the logic flow in the password filtering checksStefan Metzmacher1-54/+92
This avoids some nesting levels and does early returns. Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-12s4:dsdb/acl: fix search filter cleanup for password attributesStefan Metzmacher1-1/+1
We need to this when we're *not* system. Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-11-06ldb_secrets_tdb_sync: Add dependency on gssapi.Jelmer Vernooij1-1/+1
This is required when building with the system heimdal, as gssapi/gssapi_spnego.h is included. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Nov 6 05:12:28 CET 2012 on sn-devel-104
2012-11-06dsdb: Rename _res argument to _result.Jelmer Vernooij1-6/+6
Newer versions of heimdal include a macro that is unfortunately named '_res'. This change prevents the clash. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-11-06dsdb: Simplify DsCrackNameOneFilter a bitVolker Lendecke1-1/+4
For me "else" branches clutter my flow reading code. If we do a hard return at the end of an "if" branch, "else" is not required. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2012-10-25dsdb-cracknames: Return DRSUAPI_DS_NAME_STATUS_NO_MAPPING when there is no SIDAndrew Bartlett1-3/+7
If there is no SID for an object being mapped, then there is no NT4 name. We need to return DRSUAPI_DS_NAME_STATUS_NO_MAPPING rather than error out with anything other than WERR_OK as the return value. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Oct 25 04:43:25 CEST 2012 on sn-devel-104
2012-10-24dsdb-cracknames: Always use talloc_zero()Andrew Bartlett1-1/+1
Otherwise, we will return un-initialised values to the caller, which will attempt to push them onto the wire. Found by Greg Dickie <greg@justaguy.ca>. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Oct 24 05:12:04 CEST 2012 on sn-devel-104
2012-10-07s4-repl: make dreplsrv_partition_find_for_nc return BAD_NC onlyMatthieu Patou1-2/+7
2012-10-07drs-replica-info: level_not_supported is wrong when we do support (partialy ↵Matthieu Patou1-9/+13
the level)
2012-10-07drs-crackname: if there is no sid do not return the domainMatthieu Patou1-0/+2
2012-10-07Implement the LIST_INFO_FOR_SERVER input formatMatthieu Patou1-0/+107
2012-09-01s4-dsdb: Remove unused variablesAndrew Bartlett1-3/+0
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Sep 1 05:10:47 CEST 2012 on sn-devel-104
2012-09-01s4-dsdb: Remove unused tmp_ctx leaked onto long-term ldb_contextAndrew Bartlett1-2/+0
This was found based on a log provided by Ricky Nance <ricky.nance@weaubleau.k12.mo.us>. Thanks Ricky! Andrew Bartlett
2012-08-28s4-dsdb: Remove double-free in update_keytab moduleAndrew Bartlett1-2/+0
2012-08-28s4-dsdb: Add secrets_tdb_sync - an ldb module to keep secrets.tdb in syncAndrew Bartlett3-0/+539
secrets_tdb_sync is a new ldb module designed to sync secrets.ldb entries with the secrets.tdb file. While not ideal to keep two copies of this data, this routine will assist in allowing the samba-tool domain join code to operate correctly in most cases where winbindd and smbd are used. Andrew Bartlett
2012-08-23s4-dsdb: Remove unused variablesAndrew Bartlett1-5/+0
2012-08-23s4-dsdb: Do not use a possibly-old loadparm context in schema reloadAndrew Bartlett3-19/+18
The loadparm context on the schema DB might have gone away already. Pre-cache the schema refresh interval at load time to avoid worrying about this. Andrew Bartlett
2012-08-22s4:samldb LDB module - remove unused "member" attribute from search filterMatthias Dieter Wallnöfer1-1/+1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-08-22s4:dsdb - always fail if a search filter could not be parsedMatthias Dieter Wallnöfer1-0/+3
A NULL string/expression returns the generic "(objectClass=*)" filter Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-08-22s4:dsdb_sort_objectClass_attr - simplify memory context handlingMatthias Dieter Wallnöfer3-37/+23
Do only require the out memory context and build the temporary one in the body of the function. This greatly simplifies the callers. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-08-22s4:dsdb_sort_objectClass_attr - use "data_blob_string_const" for setting valuesMatthias Dieter Wallnöfer1-6/+1
As shown in commit c8e6d8b487 this looks easier and in any case we can treat schema context data like global data. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-08-17s4-dsdb: Use tmp_ctx in kccsrv_check_deleted to avoid leaking memory onto ↵Andrew Bartlett1-6/+11
part->dn The confusing use of do_dn as a memory context while legitimate created a bug when it was copied and modified to search on a DN from long-term state. By always using a temporary memory context it is clear what paramter is the memory context. This was found based on a log provided by Ricky Nance <ricky.nance@weaubleau.k12.mo.us>. Thanks Ricky! Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Aug 17 18:24:10 CEST 2012 on sn-devel-104
2012-08-17s4-kcc: Avoid use-after-free of dn and add tmp_ctxAndrew Bartlett1-2/+9
By using a tmp_ctx we are clearer about allocating temporary memory. Andrew Bartlett
2012-08-17s4-dsdb: Ensure we always free tmp_ctx in schema refresh checkAndrew Bartlett1-0/+2
This was found based on a log provided by Ricky Nance <ricky.nance@weaubleau.k12.mo.us>. Thanks Ricky! In that log, over 2.5 days this particular allocation was repeated: 1715099 talloc_new: ../source4/dsdb/samdb/ldb_modules/schema_load.c:120 contains 0 bytes in 1 blocks Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Aug 17 06:21:18 CEST 2012 on sn-devel-104
2012-08-14s4:dsdb/repl: fix the usage of 'GC/' prefixed principal namesStefan Metzmacher1-21/+6
The "serverReference" attribute is available on the "server" object not on the "nTDSA" object. This allows connections to RODCs, as they don't have a E3514235-4B06-11D1-AB04-00C04FC2DCD2/${NTDSGUID}/${DNSDOMAIN} principal. Pair-Programmed-With: Björn Baumbach <bb@sernet.de> metze Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Aug 14 18:57:41 CEST 2012 on sn-devel-104
2012-08-14s4-dsdb: Use samdb_dn_is_our_ntdsa()Andrew Bartlett5-37/+61
This uses a GUID based comparison, and avoids re-fetching the samdb_ntds_settings_dn each time. Andrew Bartlett
2012-08-14s4-dsdb: Add samdb_dn_is_our_ntdsa()Andrew Bartlett1-0/+25
This is like samdb_reference_dn_is_our_ntdsa but without the attribute de-reference. Andrew Bartlett
2012-08-14s4-dsdb: Use samdb_reference_dn_is_our_ntdsa()Andrew Bartlett1-35/+4
2012-08-14s4-dsdb: Add helper function samdb_reference_dn_is_our_ntdsa()Andrew Bartlett1-1/+39
We often want to know if we own an FSMO role (for example). This tries to be more efficient by comparing the GUID, rather than the string DN, as this does not need to be re-fetched each time. Andrew Bartlett
2012-08-14s4-dsdb: Use ldb_dn_copy() rather than talloc_reference()Andrew Bartlett1-1/+1
As the normal case (outside provision) uses a copy, this avoids a case where a caller might modify a global variable accidentily. As suggested by metze. Andrew Bartlett
2012-08-14s4-libnet: Improve debugging of libnet_BecomeDC LDAP errorsAndrew Bartlett1-0/+2
2012-08-14s4:dsdb/repl: ldb_errstring() takes a 'struct ldb_context' not 'int'Stefan Metzmacher1-1/+2
metze Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Aug 14 13:58:31 CEST 2012 on sn-devel-104
2012-08-14s4:dsdb/repl: make sure instanceType_e is not changed by a reallocationStefan Metzmacher1-1/+11
Pair-Programmed-With: Björn Baumbach <bb@sernet.de> metze
2012-08-14s4:dsdb/repl: avoid reallocation of msg->elementsStefan Metzmacher1-1/+1
The index into the elements needs to match between msg->elements and md->ctr.ctr1.array, which means we should pre-allocate them with the same size. Pair-Programmed-With: Björn Baumbach <bb@sernet.de> metze
2012-08-14s4-dsdb: Add mem_ctx argument to samdb_ntds_settings_dnAndrew Bartlett12-27/+42
As this value is calculated new each time, we need to give it a context to live on. If the value is the forced value during provision, a reference is taken. This was responsible for the memory leak in the replication process. In the example I was given, this DN appeared in memory 13596 times! Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Aug 14 10:05:14 CEST 2012 on sn-devel-104
2012-08-14s4-dsdb: Improve memory handling in dsdb_schema_from_ldb_results() by adding ↵Andrew Bartlett1-2/+14
a tmp_ctx
2012-08-14s4-dsdb: Improve memory handling in kccsrv_add_connection()Andrew Bartlett1-0/+5
2012-08-14s4-dsdb: Improve memory handling in kccsrv_find_connections() by adding a ↵Andrew Bartlett1-4/+15
tmp_ctx
2012-08-14s4-dsdb: Add constAndrew Bartlett1-4/+4
2012-08-11s4-dsdb: Take more care in handling of global schema memoryAndrew Bartlett2-28/+64
This reworks dsdb_replicated_objects_commit() to have a proper local tmp_ctx and to be more careful about what schema is set (only setting a global schema if the original schema was global). In particular, the new working_schema is not given a talloc reference to the old schema. This ensures that the old schema can go away when no longer used. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Aug 11 10:31:57 CEST 2012 on sn-devel-104
2012-08-11s4-dsdb: Remove support for per-partition sequence numbersAndrew Bartlett1-23/+0
These sequence numbers were only used for telling if the schema was changed, and are no longer directly related to the replication USN. The per-partition replication USN can be obtained from the @REPLCHANGED record on the per-partition database, and this is done with an ldb_search(). Andrew Bartlett
2012-08-11s4-dsdb: Use only the replication USN for schema reload.Andrew Bartlett2-66/+0
This way we do not track both the partition seq number and the replication USN for schema reload purposes. We only need one indication of actual data change, and the replication per-partition sequence number is no more expensive to obtain than the ldb per-partition sequence number. Andrew Bartlett
2012-08-10build: rename security → samba-securityBjörn Jacke2-9/+9
there is a libsecurity on OSF1 which clasheѕ with our security lib. see bug #9023. Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Björn Jacke <bj@sernet.de> Autobuild-Date(master): Fri Aug 10 14:22:21 CEST 2012 on sn-devel-104
2012-08-10s4-dsdb: Explain better what records are written during schema setAndrew Bartlett2-10/+19
This is controlled by setting write_indices_and_attributes. Andrew Bartlett
2012-08-09s4-dsdb: Remove strcasecmp() fallback in replmd_ldb_message_element_attid_sortAndrew Bartlett1-7/+0
In all callers, we must already have a attributeID for each of the values or else we would have already given an error, or could not have obtained the message over DRS. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Aug 9 11:39:54 CEST 2012 on sn-devel-104
2012-08-09s4-dsdb: Do not reload partition metadata except on transaction startAndrew Bartlett1-11/+0
This ensures that we do not add objects that should go into a partition, but we simply return that an object is not present if the connection was created before the partition was loaded. It is rare to create a new partition. Andrew Bartlett