| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This needed by the "cn_name_len"-1 accesses.
And use a "size_t"-typed variable for storing it (length specificators should
always be stored using "size_t" variables).
|
|
This is a rewrite of the lookup_rids code, using a query based on the
extended DN for a clearer interface.
By splitting this out, the logic is able to be shared, rather than
copied, into a passdb wrapper.
Andrew Bartlett
|
|
This is a rewrite of the group membership lookup code, using the
stored extended DNs to avoid doing the lookup into each member to find
the SID
By splitting this out, the logic is able to be shared, rather than
copied, into a passdb wrapper.
Andrew Bartlett
|
|
This allows this logic to be shared, rather than copied, into a passdb
wrapper.
Andrew Bartlett
|
|
This allows this logic to be shared, rather than copied, into a passdb
wrapper.
Andrew Bartlett
|
|
This allows this logic to be shared, rather than copied, into a passdb
wrapper.
Andrew Bartlett
|
|
The NULL search expression expands to (objectClass=*), but %s expands
NULL to (NULL) which doesn't parse...
Andrew Bartlett
|
|
It is a problem if a samba header is called ldap.h if we also want
to use OpenLDAP's ldap.h
Andrew Bartlett
|
|
|
|
This allows us to control what groups should be added in what use
cases, and in particular to more carefully control the introduction of
the 'authenticated' group.
In particular, in the 'service_named_pipe' protocol, we do not have
control over the addition of the authenticated users group, so we key
of 'is this user the anonymous SID'.
This also takes more care to allocate the right length ptoken->sids
Andrew Bartlett
|
|
We had to split up the auth module into a module loaded by main deamon
and a subsystem we manually init in the operational module.
Andrew Bartlett
|
|
This creates a new interface to the auth subsystem, to allow an
auth_context to be created from the ldb, and then tokenGroups to be
calculated in the same way that the auth subsystem would.
Andrew Bartlett
|
|
The group list in the PAC does not include 'enterprise DCs' and
BUILTIN groups, so we should generate it on each server, not in the
list we pass around in the PAC or SamLogon reply.
Andrew Bartlett
|
|
I need to change the functions this calls
Andrew Bartlett
|
|
|
|
|
|
recompiled by waf.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
other host is just unreachable
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
metze
|
|
metze
|
|
provision"
This reverts commit c3cbb846d0bfbaa11fd255bada7fa5fe502d4d96.
The fix is not correct, we should cache a bool to answer amIRODC
|
|
This reverts commit 6276343ce1b7dd7d217e5a419c09f209f5f87379.
This is not needed anymore.
metze
|
|
before copying them"
This reverts commit fa87027592f71179c22f132e375038217bc9d36a.
This check is done one level above now.
metze
|
|
it's given
Sorry, I removed this logic while cleaning up indentation levels...
metze
|
|
When we don't have the cleartext of the new password then don't check it
using "samdb_check_password".
|
|
|
|
copying them
|
|
This is to don't break the provision process at the moment. We need to find
a better solution.
|
|
Make use of the new "change old password checked" control.
|
|
Adapt the two functions for the restructured "password_hash" module. This
means that basically all checks are now performed in the mentioned module.
An exception consists in the SAMR password change calls since they need very
precise NTSTATUS return codes on wrong constraints ("samr_password.c") file
|
|
Based on the Patch from Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>.
metze
|
|
- Implement the password restrictions as specified in "samdb_set_password"
(complexity, minimum password length, minimum password age...).
- We support only (administrative) password reset operations at the moment
- Support password (administrative) reset and change operations (consider
MS-ADTS 3.1.1.3.1.5)
|
|
Windows Server performs the constraint checks in a different way than we do.
All testing has been done using "passwords.py".
|
|
- Enhance comments
- Get some more attributes from the domain and user object (needed later)
- Check for right objectclass on change/set operations (instances of
"user" and/or "inetOrgPerson") - otherwise forward the request
- (Cosmetic) cleanup in asynchronous results regarding return values
|
|
- Add a new control for getting status informations (domain informations,
password change status) directly from the module
- Add a new control for allowing direct hash changes
- Introduce an addtional control "change_old password checked" for the password
|
|
|
|
|
|
This is needed since we have not only reset operations on password fields
(attributes marked with REPLACE flag) but also change operations which can be
performed by users itself. They have one attribute with the old value marked
with the REMOVE flag and one with the new one marked with the ADD flag.
This function helps to retrieve them (argument "new" is used for the new
password on both reset and change).
|
|
|
|
|
|
|
|
We may as well fall back rather than return NULL (which callers don't
do useful things with).
Andrew Bartlett
|
|
metze
|
|
This means that the existing kvno will no longer be valid, all
unix-based domain members may need to be rejoined, and
upgradeprovision run to update the local kvno in
secrets.ldb/secrets.keytab.
This is required to match the algorithm used by Windows DCs, which we
may be replicating with. We also need to find a way to generate a
reasonable kvno with the OpenLDAP backend.
Andrew Bartlett
|
