summaryrefslogtreecommitdiff
path: root/source4/dsdb
AgeCommit message (Collapse)AuthorFilesLines
2010-04-27s4:util - add a function which finds the matching client site using the ↵Matthias Dieter Wallnöfer1-0/+90
client address The lookup of the client site is done using the subnets in the configuration partition. If no one matches we use the Windows Server fallback mechansim. This means: if only one site is available just use it. If they're more set the output variable to "". Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-27s4-repl: added a workaround for WERR_DS_DRA_NO_REPLICA DsReplicaSync errorsAndrew Tridgell2-2/+19
The 0xc0002104/WERR_DS_DRA_NO_REPLICA seems to be spurious, and can be avoided by setting DRSUAPI_DRS_SYNC_ALL in the DsReplicaSync request. We need to investigate this further, and find out from MS why this is sometimes being sent, even when the target DC has the right repsFrom entries
2010-04-27s4-drs: add entries to repsTo based on calculated repsFromAndrew Tridgell1-2/+30
This is based on the documentation: "the KCC will automatically create the Reps-To attributes on destination DSAs based on other DSAs Reps-From entries."
2010-04-27s4-drepl: don't setup a repsFrom from a DC that isn't a master for a NCAndrew Tridgell1-5/+50
use hasMasterNCs to see what NCs we should be pulling from each DC
2010-04-27s4-repl: these messages are common, and don't deserve debug level 1Andrew Tridgell1-2/+2
getting older attributes is quite common
2010-04-27s4-repl: on a failed request, clear the current ptrAndrew Tridgell1-0/+1
this prevents the queue being stuck on failure
2010-04-27s4-repl: end repl request when not doing an UpdateRefsAndrew Tridgell1-0/+2
otherwise the queue is stuck forever
2010-04-27s4-repl: don't delete repsTo entry on DsReplicaSyncAndrew Tridgell1-46/+12
we rely on the highestUSN counters instead. W2K8 does not resend DsUpdateRefs each time, and the WSPP docs do not indicate that repsTo should be deleted
2010-04-26s4-ddb: don't create partitions with the UNINSTANT flag setAndrew Tridgell1-1/+14
these partitions and not on the server we are replicating from. Also check for deleted partitions. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-26s4-drs: allow getncchanges requests to non WRIT_REP partitions for extended opsAndrew Tridgell1-1/+2
Needed for RID allocation Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-26s4-drepl: don't send an UpdateRefs unless its a plain replicationAndrew Tridgell1-1/+3
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-26s4-drs: make links to foreign partitions non-fatalAndrew Tridgell1-8/+6
DN links outside the set of partitions we are replication should be allowed. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-24s4 dns: Allow to specify static grant entries to be added to the dynamicaly ↵Matthieu Patou1-3/+17
generated named.conf.update Signed-off-by: Stefan Metzmacher <metze@samba.org>
2010-04-22s4-drs: added new SECURITY_RO_DOMAIN_CONTROLLER levelAndrew Tridgell4-4/+4
This is used for allowing operations by RODCs, and denying them operations that should only be allowed for a full DC This required a new domain_sid argument to security_session_user_level() Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Rusty Russell <rusty@samba.org>
2010-04-22s4-drs: removed dsdb_validate_client_flags()Andrew Tridgell2-37/+0
This test is in the wrong place. We end up validating our own flags. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-22s4-dsdb: removed an unused variableAndrew Tridgell1-1/+0
2010-04-22s4-dsdb: added dsdb_validate_invocation_id()Andrew Tridgell1-0/+87
this validates that a invocationID matches an account sid This will be used to ensure that we don't allow DRS replication from someone a non-DC or administrator Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-22s4-dsdb: added dsdb_get_extended_dn_sid()Andrew Tridgell2-12/+34
This will be used by the RODC code Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-22s4-dsdb: moved rodc schema validation to samldb.cAndrew Tridgell2-33/+37
This means we are only doing the checks for schema changes Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-22s4-drs: Use new samdb_rodc() function in s4 codeFernando J V da Silva1-1/+1
This patch fits the calling to the new samdb_rodc() function and fix a little bug in this function. Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-22s40-drs: Do not send GetNCChanges messages to RODCsFernando J V da Silva1-0/+11
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-22s4-drs: dsdb_validate_client_flags() functionFernando J V da Silva1-0/+28
This function is intended to check if some client is not lying about his flags. At this moment, it only checks for RODC flags. Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-22s4-drs: samdb_is_rodc() function and new samdb_rodc() functionFernando J V da Silva4-37/+64
This patch creates the samdb_is_rodc() function, which looks for the NTDSDSA object for a DC that has a specific invocationId and if msDS-isRODC is present on such object and it is TRUE, then consider the DC as a RODC. The new samdb_rodc() function uses the samdb_is_rodc() function for the local server. Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-22s4-drs: Do not allow system-critical attributes to be RODC filteredFernando J V da Silva1-0/+33
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-22s4:ldap-backend Fix LSA test failures with OpenLDAP backend - convert SIDsAndrew Bartlett1-0/+24
The SIDs in some queries were not being passed as binary, but as strings in comparison with the securityIdentifer object. We need to recognise that these are SIDs in the simple_ldap_map. Andrew Bartlett
2010-04-22s4:OpenLDAP-backend Use the new rdnval module in OpenLDAPAndrew Bartlett2-3/+8
This is rather than rdn_name, which tries to do the job on the client side. We need to leave this module in the stack for Fedora DS (and of course the LDB backend). Andrew Bartlett
2010-04-22s4:dsdb Revert accidentilly commited change for LDAP backendsAndrew Bartlett1-1/+1
In the future, LDAP backends will be resposible for maintaining the 'name' attributes. Andrew Bartlett
2010-04-21s4-schema: allow revision numbers of zeroAndrew Tridgell1-6/+3
w2k8r2 sends a revision of zero in the initial schema replication during a net vampire Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-20s4:provision Pass in the invoication ID and NTDS Settings DN to Schema()Andrew Bartlett3-2/+75
By putting these values into the cache on the LDB, this reduces some of the noise in provision, particularly with the LDAP backend. Andrew Bartlett
2010-04-17s4:dsdb/dns/dns_update.c - fix a typoMatthias Dieter Wallnöfer1-1/+1
2010-04-16s4:Replaced dsdb_get_dom_sid_from_ldb_message() with samdb_result_dom_sid()Nadezhda Ivanova2-55/+7
2010-04-15s4:rootdse: only return "tokenGroups", when the client asked for themStefan Metzmacher1-1/+1
metze
2010-04-15pydsdb: Fix memory leak on invalid parameters, formatting, trivialJelmer Vernooij1-8/+15
typos.
2010-04-15s4 python: Add a function to get the oid of an attribute when the attid is knownMatthieu Patou1-0/+37
This function is mainly to help decoding replPropertyMetaData in python Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
2010-04-13s4:samdb_server_site_name - fix indentationMatthias Dieter Wallnöfer1-4/+6
2010-04-13s4:acl/descriptor LDB module - distinguish between root and default basednMatthias Dieter Wallnöfer2-0/+12
The first is the forest base DN, the second the domain base DN. At the moment we assume that they are both the same but it hasn't to be so. Nadia, I would invite you to fix the outstanding parts regarding this (I added comments).
2010-04-13s4:dsdb/common/util.c - add a call which determines centrally the forest DNS ↵Matthias Dieter Wallnöfer1-0/+19
domainname
2010-04-13s4:remove "samdb_root_dn", "samdb_base_dn", "samdb_config_dn" and ↵Matthias Dieter Wallnöfer1-20/+0
"samdb_schema_dn" They aren't needed anymore.
2010-04-13Revert "s4:prefer "samdb_*_dn" basedn calls over the "ldb_get_*_dn" functions"Matthias Dieter Wallnöfer11-21/+24
We should use the "ldb_get_*_basedn" calls since they are available in the LDB library.
2010-04-13s4:objectclass LDB module - remove a unneeded newlineMatthias Dieter Wallnöfer1-2/+1
2010-04-12s4:prefer "samdb_*_dn" basedn calls over the "ldb_get_*_dn" functionsMatthias Dieter Wallnöfer1-1/+1
Purely cosmetic change.
2010-04-11subunit: Remove more test output that could be interpreted by subunit.Jelmer Vernooij1-1/+1
2010-04-11subunit: Support formatting compatible with upstream subunit, for consistency.Jelmer Vernooij1-1/+1
Upstream subunit makes a ":" after commands optional, so I've fixed any places where we might trigger commands accidently. I've filed a bug about this in subunit.
2010-04-11s4:samdb_server_site_dn - free unused DNs in the right wayMatthias Dieter Wallnöfer1-2/+2
2010-04-10s4:dsdb Don't use the permissive modify control on schemaInfo updatesAndrew Bartlett1-2/+2
The use of 'replace' is enough to wipe out the old value, whatever it is, we don't need to set 'permissive modify' too. Additionally, this seems to be causing trouble for the OpenLDAP backend Andrew Bartlett
2010-04-10s4:dsdb Don't return operational attributes on special DNsAndrew Bartlett1-0/+5
2010-04-10s4:rootdse Implement "tokenGroups" in the rootDSEAndrew Bartlett1-0/+18
This returns the currently connected user's full token. This is very useful for debugging, and should be used in ACL tests. Andrew Bartlett
2010-04-10s4:dsdb Improve error message in extended_dn_inAndrew Bartlett1-1/+1
This error occours when an extended DN cannot be resolved, so it's most helpful to print the problematic extended DN. Andrew Bartlett
2010-04-10s4:schema Try to fix OpenLDAP backend after schema reload support.Andrew Bartlett1-4/+2
If we can't get @REPLCHANGED, default to a value of 0. Andrew Bartlett
2010-04-09s4/dsdb: Set schemaInfo attribute value during provisioningKamen Mazdrashki1-0/+49
After provisioning new Forest, schemaInfo should be set to a value with revision=1 and current invocation_id