summaryrefslogtreecommitdiff
path: root/source4/dsdb
AgeCommit message (Collapse)AuthorFilesLines
2010-05-10s4:dsdb: add new controlsMatthias Dieter Wallnöfer1-0/+21
- Add a new control for getting status informations (domain informations, password change status) directly from the module - Add a new control for allowing direct hash changes - Introduce an addtional control "change_old password checked" for the password
2010-05-10s4-rodc: Fix provision warnings by creating ntds objectGUID in provisionAnatoliy Atanasov1-0/+23
2010-05-10s4:acl ldb module - fix typosMatthias Dieter Wallnöfer1-3/+3
2010-05-10s4:dsdb/util.c - Add a new function for retrieving password change attributesMatthias Dieter Wallnöfer1-0/+41
This is needed since we have not only reset operations on password fields (attributes marked with REPLACE flag) but also change operations which can be performed by users itself. They have one attribute with the old value marked with the REMOVE flag and one with the new one marked with the ADD flag. This function helps to retrieve them (argument "new" is used for the new password on both reset and change).
2010-05-09s4:samldb LDB module - make "samldb_member_check" synchronous againMatthias Dieter Wallnöfer1-64/+33
2010-05-09s4:samldb LDB module - make "samldb_prim_group_users_check" synchronous againMatthias Dieter Wallnöfer1-235/+24
2010-05-09s4:samldb LDB module - update the copyright noticeMatthias Dieter Wallnöfer1-1/+1
2010-05-09s4:dsdb Provide an intelegent fallback if not CN=Subnets is foundAndrew Bartlett1-3/+7
We may as well fall back rather than return NULL (which callers don't do useful things with). Andrew Bartlett
2010-05-09dsdb/password_hash: remove usage of msDs-KeyVersionNumberStefan Metzmacher1-37/+1
metze
2010-05-09s4:dsdb Use replPropertyMetaData as the basis for msDS-KeyVersionNumberAndrew Bartlett1-10/+76
This means that the existing kvno will no longer be valid, all unix-based domain members may need to be rejoined, and upgradeprovision run to update the local kvno in secrets.ldb/secrets.keytab. This is required to match the algorithm used by Windows DCs, which we may be replicating with. We also need to find a way to generate a reasonable kvno with the OpenLDAP backend. Andrew Bartlett
2010-05-04s4/rodc: Support read-only databaseAnatoliy Atanasov5-13/+76
Check on modify if we are RODC and return referral. On the ldap backend side now we pass context and ldb_modify_default_callback to propagate the referral error to the client.
2010-05-04s4/rodc: Fix the callbacks up the stack to handle referrals on modify requestsAnatoliy Atanasov6-0/+48
2010-05-03s4/rodc: Implement msDS-isRODC constructed attrAnatoliy Atanasov2-7/+167
2010-05-03Replaced DS_FLAG_ATTR_IS_CRITICAL with SCHEMA_FLAG_ATTR_IS_CRITICAL.Nadezhda Ivanova1-1/+1
2010-05-03Added a function to check if an attribute can belong to a filtered replica.Nadezhda Ivanova3-2/+113
2010-05-01s4:dsdb Fix use of memory after free in repl_meta_dataAndrew Bartlett1-7/+9
The upgraded link values are were allocated on tmp_ctx, and need to be kept until they are written to the DB. If we don't give the correct context, they will be gone after the talloc_free(tmp_ctx). Found by Matthieu Patou <mat+Informatique.Samba@matws.net> Andrew Bartlett
2010-04-29s4/rodc: RODC FAS initial implementationAnatoliy Atanasov3-12/+41
2010-04-29s4/dsdb: schemaInfo revision may be 0Kamen Mazdrashki1-5/+1
In case schemaInfo value is still not set, WinAD supplies schemaInfo blob with revision = 0 and GUID_ZERO
2010-04-29s4/dsdb: remove unused dsdb_schema_info_create() functionKamen Mazdrashki1-35/+0
2010-04-29s4/dsdb: Update Schema cache with updated schemaInfo valueKamen Mazdrashki1-4/+9
Error checking is simplified and my leave leeks. I did it this way to make code more readable, and if we get error in those lines, it will be WERR_NOMEM in which case we are in a much deeper troubles than delayed freeing of few bytes.
2010-04-29s4/samldb: Create initial schemaInfo value if it doesn't exists yetKamen Mazdrashki1-7/+30
2010-04-29s4/dsdb: Use default schemaInfo value when no such value is givenKamen Mazdrashki3-16/+25
Having no value for schemaInfo is totally OK as it turns out. In such cases, we should use a default value with all fields set to 0.
2010-04-29Revert "s4/dsdb: Set schemaInfo attribute value during provisioning"Kamen Mazdrashki1-49/+0
This reverts commit 8149094eddebd9a0e8b7c123c2ed54d00164bb26. Windows implementation does not set schemaInfo attribute value until first Schema update request. This way, newly provisioned forest returns no schemaInfo value. I think it won't be bad for us to have this value preset, but I want to mimic Win AD behavior as close as possible.
2010-04-28s4/dsdb: dsdb_validate_invocation_id() should validate by objectGUIDKamen Mazdrashki1-18/+18
This function is used in DRSUpdateRefs() implementation where we get DSA's objectGUID rather than invocationId
2010-04-27s4:dsdb/common: if we don't have the ip of the client return the server site ↵Stefan Metzmacher1-0/+8
as client site metze
2010-04-27s4-dns: call spn update command alongside dns updateAndrew Tridgell1-0/+46
call samba_spnupdate at the same time as samba_spnupdate
2010-04-27s4:kcc_periodic.c - fix counter typesMatthias Dieter Wallnöfer1-1/+1
We are counting LDB objects here -> therefore "unsigned"
2010-04-27s4:util - add a function which finds the matching client site using the ↵Matthias Dieter Wallnöfer1-0/+90
client address The lookup of the client site is done using the subnets in the configuration partition. If no one matches we use the Windows Server fallback mechansim. This means: if only one site is available just use it. If they're more set the output variable to "". Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-27s4-repl: added a workaround for WERR_DS_DRA_NO_REPLICA DsReplicaSync errorsAndrew Tridgell2-2/+19
The 0xc0002104/WERR_DS_DRA_NO_REPLICA seems to be spurious, and can be avoided by setting DRSUAPI_DRS_SYNC_ALL in the DsReplicaSync request. We need to investigate this further, and find out from MS why this is sometimes being sent, even when the target DC has the right repsFrom entries
2010-04-27s4-drs: add entries to repsTo based on calculated repsFromAndrew Tridgell1-2/+30
This is based on the documentation: "the KCC will automatically create the Reps-To attributes on destination DSAs based on other DSAs Reps-From entries."
2010-04-27s4-drepl: don't setup a repsFrom from a DC that isn't a master for a NCAndrew Tridgell1-5/+50
use hasMasterNCs to see what NCs we should be pulling from each DC
2010-04-27s4-repl: these messages are common, and don't deserve debug level 1Andrew Tridgell1-2/+2
getting older attributes is quite common
2010-04-27s4-repl: on a failed request, clear the current ptrAndrew Tridgell1-0/+1
this prevents the queue being stuck on failure
2010-04-27s4-repl: end repl request when not doing an UpdateRefsAndrew Tridgell1-0/+2
otherwise the queue is stuck forever
2010-04-27s4-repl: don't delete repsTo entry on DsReplicaSyncAndrew Tridgell1-46/+12
we rely on the highestUSN counters instead. W2K8 does not resend DsUpdateRefs each time, and the WSPP docs do not indicate that repsTo should be deleted
2010-04-26s4-ddb: don't create partitions with the UNINSTANT flag setAndrew Tridgell1-1/+14
these partitions and not on the server we are replicating from. Also check for deleted partitions. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-26s4-drs: allow getncchanges requests to non WRIT_REP partitions for extended opsAndrew Tridgell1-1/+2
Needed for RID allocation Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-26s4-drepl: don't send an UpdateRefs unless its a plain replicationAndrew Tridgell1-1/+3
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-26s4-drs: make links to foreign partitions non-fatalAndrew Tridgell1-8/+6
DN links outside the set of partitions we are replication should be allowed. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-24s4 dns: Allow to specify static grant entries to be added to the dynamicaly ↵Matthieu Patou1-3/+17
generated named.conf.update Signed-off-by: Stefan Metzmacher <metze@samba.org>
2010-04-22s4-drs: added new SECURITY_RO_DOMAIN_CONTROLLER levelAndrew Tridgell4-4/+4
This is used for allowing operations by RODCs, and denying them operations that should only be allowed for a full DC This required a new domain_sid argument to security_session_user_level() Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Rusty Russell <rusty@samba.org>
2010-04-22s4-drs: removed dsdb_validate_client_flags()Andrew Tridgell2-37/+0
This test is in the wrong place. We end up validating our own flags. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-22s4-dsdb: removed an unused variableAndrew Tridgell1-1/+0
2010-04-22s4-dsdb: added dsdb_validate_invocation_id()Andrew Tridgell1-0/+87
this validates that a invocationID matches an account sid This will be used to ensure that we don't allow DRS replication from someone a non-DC or administrator Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-22s4-dsdb: added dsdb_get_extended_dn_sid()Andrew Tridgell2-12/+34
This will be used by the RODC code Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-22s4-dsdb: moved rodc schema validation to samldb.cAndrew Tridgell2-33/+37
This means we are only doing the checks for schema changes Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-22s4-drs: Use new samdb_rodc() function in s4 codeFernando J V da Silva1-1/+1
This patch fits the calling to the new samdb_rodc() function and fix a little bug in this function. Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-22s40-drs: Do not send GetNCChanges messages to RODCsFernando J V da Silva1-0/+11
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-22s4-drs: dsdb_validate_client_flags() functionFernando J V da Silva1-0/+28
This function is intended to check if some client is not lying about his flags. At this moment, it only checks for RODC flags. Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-22s4-drs: samdb_is_rodc() function and new samdb_rodc() functionFernando J V da Silva4-37/+64
This patch creates the samdb_is_rodc() function, which looks for the NTDSDSA object for a DC that has a specific invocationId and if msDS-isRODC is present on such object and it is TRUE, then consider the DC as a RODC. The new samdb_rodc() function uses the samdb_is_rodc() function for the local server. Signed-off-by: Andrew Tridgell <tridge@samba.org>