Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
copying them
|
|
This is to don't break the provision process at the moment. We need to find
a better solution.
|
|
Make use of the new "change old password checked" control.
|
|
Adapt the two functions for the restructured "password_hash" module. This
means that basically all checks are now performed in the mentioned module.
An exception consists in the SAMR password change calls since they need very
precise NTSTATUS return codes on wrong constraints ("samr_password.c") file
|
|
Based on the Patch from Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>.
metze
|
|
- Implement the password restrictions as specified in "samdb_set_password"
(complexity, minimum password length, minimum password age...).
- We support only (administrative) password reset operations at the moment
- Support password (administrative) reset and change operations (consider
MS-ADTS 3.1.1.3.1.5)
|
|
Windows Server performs the constraint checks in a different way than we do.
All testing has been done using "passwords.py".
|
|
- Enhance comments
- Get some more attributes from the domain and user object (needed later)
- Check for right objectclass on change/set operations (instances of
"user" and/or "inetOrgPerson") - otherwise forward the request
- (Cosmetic) cleanup in asynchronous results regarding return values
|
|
- Add a new control for getting status informations (domain informations,
password change status) directly from the module
- Add a new control for allowing direct hash changes
- Introduce an addtional control "change_old password checked" for the password
|
|
|
|
|
|
This is needed since we have not only reset operations on password fields
(attributes marked with REPLACE flag) but also change operations which can be
performed by users itself. They have one attribute with the old value marked
with the REMOVE flag and one with the new one marked with the ADD flag.
This function helps to retrieve them (argument "new" is used for the new
password on both reset and change).
|
|
|
|
|
|
|
|
We may as well fall back rather than return NULL (which callers don't
do useful things with).
Andrew Bartlett
|
|
metze
|
|
This means that the existing kvno will no longer be valid, all
unix-based domain members may need to be rejoined, and
upgradeprovision run to update the local kvno in
secrets.ldb/secrets.keytab.
This is required to match the algorithm used by Windows DCs, which we
may be replicating with. We also need to find a way to generate a
reasonable kvno with the OpenLDAP backend.
Andrew Bartlett
|
|
Check on modify if we are RODC and return referral.
On the ldap backend side now we pass context and ldb_modify_default_callback
to propagate the referral error to the client.
|
|
|
|
|
|
|
|
|
|
The upgraded link values are were allocated on tmp_ctx, and need to be
kept until they are written to the DB. If we don't give the correct
context, they will be gone after the talloc_free(tmp_ctx).
Found by Matthieu Patou <mat+Informatique.Samba@matws.net>
Andrew Bartlett
|
|
|
|
In case schemaInfo value is still not set, WinAD supplies
schemaInfo blob with revision = 0 and GUID_ZERO
|
|
|
|
Error checking is simplified and my leave leeks.
I did it this way to make code more readable, and if we
get error in those lines, it will be WERR_NOMEM in which
case we are in a much deeper troubles than delayed freeing
of few bytes.
|
|
|
|
Having no value for schemaInfo is totally OK as it turns out.
In such cases, we should use a default value with
all fields set to 0.
|
|
This reverts commit 8149094eddebd9a0e8b7c123c2ed54d00164bb26.
Windows implementation does not set schemaInfo attribute value
until first Schema update request.
This way, newly provisioned forest returns no schemaInfo value.
I think it won't be bad for us to have this value preset, but
I want to mimic Win AD behavior as close as possible.
|
|
This function is used in DRSUpdateRefs() implementation where we
get DSA's objectGUID rather than invocationId
|
|
as client site
metze
|
|
call samba_spnupdate at the same time as samba_spnupdate
|
|
We are counting LDB objects here -> therefore "unsigned"
|
|
client address
The lookup of the client site is done using the subnets in the configuration
partition. If no one matches we use the Windows Server fallback mechansim.
This means: if only one site is available just use it. If they're more set the
output variable to "".
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
The 0xc0002104/WERR_DS_DRA_NO_REPLICA seems to be spurious, and can be
avoided by setting DRSUAPI_DRS_SYNC_ALL in the DsReplicaSync request.
We need to investigate this further, and find out from MS why this is
sometimes being sent, even when the target DC has the right repsFrom
entries
|
|
This is based on the documentation: "the KCC will automatically create
the Reps-To attributes on destination DSAs based on other DSAs
Reps-From entries."
|
|
use hasMasterNCs to see what NCs we should be pulling from each DC
|
|
getting older attributes is quite common
|
|
this prevents the queue being stuck on failure
|
|
otherwise the queue is stuck forever
|
|
we rely on the highestUSN counters instead. W2K8 does not resend
DsUpdateRefs each time, and the WSPP docs do not indicate that repsTo
should be deleted
|
|
these partitions and not on the server we are replicating from. Also
check for deleted partitions.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Needed for RID allocation
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
DN links outside the set of partitions we are replication should be
allowed.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
generated named.conf.update
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This is used for allowing operations by RODCs, and denying them
operations that should only be allowed for a full DC
This required a new domain_sid argument to
security_session_user_level()
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Rusty Russell <rusty@samba.org>
|