Age | Commit message (Collapse) | Author | Files | Lines |
|
(This used to be commit 190d73b44b9b9c6dabbd26212d596d985b25edab)
|
|
(This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238)
|
|
--server-role
This must be set to either 'domain controller', 'domain member' or 'standalone'.
The default for the provision now changes to 'standalone'.
This is not because Samba4 is particularlly useful in that mode, but
because we still want a positive sign from the administrator that we
should advertise as a DC.
We now do more to ensure the 'standalone' and 'member server'
provision output is reasonable, and try not to set odd things into the
database that only belong for the DC.
Andrew Bartlett
(This used to be commit 4cc4ed7719aff712e735628410bd3813c7d6aa40)
|
|
(This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31)
|
|
ts=4 lines that I accidently added earlier.
(This used to be commit 0bcb21ed740fcec0f48ad36bbc2deee2948e8fc7)
|
|
(This used to be commit 31993cf67b816a184a4a4e92ef8ca2532c797190)
|
|
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
|
|
(This used to be commit 26cf8494084c0106ef0e1c9b6ef40eeadf945ef2)
|
|
should allow us to fix some long standing memory leaks.
(This used to be commit 3db49c2ec9968221c1361785b94061046ecd159d)
|
|
Samba4. This only broke on global catalog queries, which turned out to
be due to changes in the partitions module that metze needed for his
DRSUAPI work.
I've reworked partitions.c to always include the 'problematic' control,
and therefore demonstrated that this is the issue. This ensures
consistency, and should help with finding issues like this in future.
As this control (DSDB_CONTROL_CURRENT_PARTITION_OID) is not intended to
be linearised, I've added logic to allow it to be skipped when creating
network packets.
I've likewise make our LDAP server skip unknown controls, when marked
'not critical' on it's input, rather than just dropping the entire
request. I need some help to generate a correct error packet when it is
marked critical.
Further work could perhaps be to have the ldap_encode routine return a
textual description of what failed to encode, as that would have saved
me a lot of time...
Andrew Bartlett
(This used to be commit eef710668f91d1bbaa2d834d9e653e11c8aac817)
|
|
mutiple flags not just 1 for being a global catalog
metze
(This used to be commit 202645e196b1425f9043bd34dd02a1418e2e3dd9)
|
|
way to setup a Samba4 DC is to set 'server role = domain controller'.
We use the fSMORoleOwner attribute in the base DN to determine the PDC.
This patch is quite large, as I have corrected a number of places that
assumed taht we are always the PDC, or that used the smb.conf
lp_server_role() to determine that.
Also included is a warning fix in the SAMR code, where the IDL has
seperated a couple of types for group display enumeration.
We also now use the ldb database to determine if we should run the
global catalog service.
In the near future, I will complete the DRSUAPI
DsGetDomainControllerInfo server-side on the same basis.
Andrew Bartlett
(This used to be commit 67d8365e831adf3eaecd8b34dcc481fc82565893)
|
|
This patch changes a lot of the code in ldb_dn.c, and also
removes and add a number of manipulation functions around.
The aim is to avoid validating a dn if not necessary as the
validation code is necessarily slow. This is mainly to speed up
internal operations where input is not user generated and so we
can assume the DNs need no validation. The code is designed to
keep the data as a string if possible.
The code is not yet 100% perfect, but pass all the tests so far.
A memleak is certainly present, I'll work on that next.
Simo.
(This used to be commit a580c871d3784602a9cce32d33419e63c8236e63)
|
|
Break up auth/auth.h not to include the world.
Add credentials_krb5.h with the kerberos dependent prototypes.
Andrew Bartlett
(This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
|
|
(This used to be commit 3ce1796eb4cca7fd78366ee540a998a1ca377866)
|
|
* Move dlinklist.h, smb.h to subsystem-specific directories
* Clean up ads.h and move what is left of it to dsdb/
(only place where it's used)
(This used to be commit f7afa1cb77f3cfa7020b57de12e6003db7cfcc42)
|
|
not aiming to produce a high performance parallel ldap server, so
better to reserve the extra CPUs on a SMP box for file serving.
(This used to be commit 45c0580e5d3b18301bc5706423bb407d001fb61d)
|
|
configure check for the interfaces.
should fix the build on some old sun boxes
metze
(This used to be commit f20e251bfd9f1eb7ce5c00739631b1625a2aa467)
|
|
to do
(This used to be commit ad75cf869550af66119d0293503024d41d834e02)
|
|
- we need this to later:
- to disallow a StartTLS when TLS is already in use
- to place the TLS socket between the raw and sasl socket
when we had a sasl bind before the StartTLS
- and rfc4513 says that the server may allow to remove the TLS from
the tcp connection again and reuse raw tcp
- and also a 2nd sasl bind should replace the old sasl socket
metze
(This used to be commit 10cb9c07ac60b03472f2b0b09c4581cc715002ba)
|
|
routines to return an NTSTATUS. This should help track down errors.
Use a bit of talloc_steal and talloc_unlink to get the real socket to
be a child of the GENSEC or TLS socket.
Always return a new socket, even for the 'pass-though' case.
Andrew Bartlett
(This used to be commit 003e2ab93c87267ba28cd67bd85975bad62a8ea2)
|
|
contexts from the application layer into the socket layer.
This improves a number of correctness aspects, as we now allow LDAP
packets to cross multiple SASL packets. It should also make it much
easier to write async LDAP tests from windows clients, as they use SASL
by default. It is also vital to allowing OpenLDAP clients to use GSSAPI
against Samba4, as it negotiates a rather small SASL buffer size.
This patch mirrors the earlier work done to move TLS into the socket
layer.
Unusual in this pstch is the extra read callback argument I take. As
SASL is a layer on top of a socket, it is entirely possible for the
SASL layer to drain a socket dry, but for the caller not to have read
all the decrypted data. This would leave the system without an event
to restart the read (as the socket is dry).
As such, I re-invoke the read handler from a timed callback, which
should trigger on the next running of the event loop. I believe that
the TLS code does require a similar callback.
In trying to understand why this is required, imagine a SASL-encrypted
LDAP packet in the following formation:
+-----------------+---------------------+
| SASL Packet #1 | SASL Packet #2 |
----------------------------------------+
| LDAP Packet #1 | LDAP Packet #2 |
----------------------------------------+
In the old code, this was illegal, but it is perfectly standard
SASL-encrypted LDAP. Without the callback, we would read and process
the first LDAP packet, and the SASL code would have read the second SASL
packet (to decrypt enough data for the LDAP packet), and no data would
remain on the socket.
Without data on the socket, read events stop. That is why I add timed
events, until the SASL buffer is drained.
Another approach would be to add a hack to the event system, to have it
pretend there remained data to read off the network (but that is ugly).
In improving the code, to handle more real-world cases, I've been able
to remove almost all the special-cases in the testnonblock code. The
only special case is that we must use a deterministic partial packet
when calling send, rather than a random length. (1 + n/2). This is
needed because of the way the SASL and TLS code works, and the 'resend
on failure' requirements.
Andrew Bartlett
(This used to be commit 5d7c9c12cb2b39673172a357092b80cd814850b0)
|
|
The function pointer was meant to be unused, this patch fixes
partition.c to use ldb_sequence_number(). (No backend provided the
pointer any more).
Set the flags onto the ldb structure, so that all backends opened by
the partitions module inherit the flags.
Set the read-ony flag when accessed as the global catalog
Modify the LDAP server to track that this query is for the global
catalog (by incoming port), and set a opqaue pointer.
Next step is to read that opaque pointer in the partitions module.
Andrew Bartlett
(This used to be commit a1161cb30e4ffa09657a89e03ca85dd6efd4feba)
|
|
This reduces caller complexity, because the TLS code is now called
just like any other socket. (A new socket context is returned by the
tls_init_server and tls_init_client routines).
When TLS is not available, the original socket is returned.
Andrew Bartlett
(This used to be commit 09b2f30dfa7a640f5187b4933204e9680be61497)
|
|
even context again. We need to ensure we don't process packets until
we are finished setting up the connection, have the ldb in place etc.
We may need to do the same in other servers.
Andrew Bartlett
(This used to be commit 9bbc93bef2881251b734732d84bf0b2e5cf8b285)
|
|
stream_terminate_connection()
Andrew Bartlett
(This used to be commit a6c797986053ecf6bbce54028d7ea4106635c558)
|
|
- add set_title hook to the process models
- use setproctitle library in process_model standard if available
- the the title for the task servers and on connections
metze
(This used to be commit 526f20bbecc9bbd607595637c15fc4001d3f0c70)
|
|
to fix the process_model standard
metze
(This used to be commit a465126e15490c5605064eb2387fb589d312db7b)
|
|
metze
(This used to be commit d9da948b0f7f9698decc140a0a549d27675d14e4)
|
|
(This used to be commit 930daa9f416ecba1d75b8ad46bb42e336545672f)
|
|
file dependencies
(This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781)
|
|
metze
(This used to be commit 1340cb1f3bdbde4d3759d77b28631611c4e150bb)
|
|
Applications that use LDB modules will now have to run ldb_global_init()
before they can use LDB.
The next step will be adding support for loading LDB modules from .so
files. This will also allow us to use one LDB without difference between the
standalone and the Samba-specific build
(This used to be commit 52a235650514039bf8ffee99a784bbc1b6ae6b92)
|
|
some more work on timeouts
(This used to be commit a7e2fe3cb33be2effff7eb764047567f2da3cd55)
|
|
not yet enforced except for the initial connection timeout
(This used to be commit fa1ae9a44b0321b8e458bcb7fd1dcc9475b9bad3)
|
|
will not use it anyway as we plan to support
partitions in ldb directly like with rootdse
Merge ldap_simple_ldb into ldap_backend, it is
not simple anymore and makes no sense to have
it separated now that ldap partitions are gone
Initial attempt at working to some limit to avoid DOSs
for the ldap server.
Simo.
(This used to be commit 97bff3e049eba48019f2b0f3eb5a19e32fef2e23)
|
|
structure that is more generic than just 'IP/port'.
It now passes make test, and has been reviewed and updated by
metze. (Thankyou *very* much).
This passes 'make test' as well as kerberos use (not currently in the
testsuite).
The original purpose of this patch was to have Samba able to pass a
socket address stucture from the BSD layer into the kerberos routines
and back again. It also removes nbt_peer_addr, which was being used
for a similar purpose.
It is a large change, but worthwhile I feel.
Andrew Bartlett
(This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2)
|
|
(This used to be commit c722f665c90103f3ed57621c460e32ad33e7a8a3)
|
|
Get this out of the server credentials, and push it down to ldb via an
opaque pointer.
Andrew Bartlett
(This used to be commit 61700252e05e0be6b4ffa72ffc24a95c665597e3)
|
|
metze
(This used to be commit a7baf165c10c00096265b790d5362905c527806a)
|
|
The partitioning logic is still there, but we only have one
partition. If we need partitioning in the future it might be better to
remove this partitioning code and use a partitioning module instead
(This used to be commit f4685e7dc9bdc3b9e240c9f5891b9da9251f82e5)
|
|
enabling of packet serialisation
(This used to be commit 6a47cd65a8b588f9ddd375c57caaba08281e7cbb)
|
|
(This used to be commit 6ef4ba0c81002c9960dc5fe4fbfd0622957d492a)
|
|
(This used to be commit c913f466cd27030f8c696ab60b1a4a2eb2ac260c)
|
|
PDC. I suspect we should behave slightly differently on the two ports,
but this is a lot closer than not listening at all. When creating a
user with mmc the global catalog port is used to check for an existing
user
(This used to be commit f8430c3f41313d0a71cea23e1a2ef98f088aff44)
|
|
authenticated session down into LDB. This associates a session info
structure with the open LDB, allowing a future ldb_ntacl module to
allow/deny operations on that basis.
Along the way, I cleaned up a few things, and added new helper functions
to assist. In particular the LSA pipe uses simpler queries for some of
the setup.
In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't
been worked on (other than making it continue to compile) since January,
and I think the features of this module are being put into ldb anyway.
I have also changed the partitions in ldap_server to be initialised
after the connection, with the private pointer used to associate the ldb
with the incoming session.
Andrew Bartlett
(This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71)
|
|
code, where a stream_terminate_connection() while processing a request
can cause a later defererence of the connection structure to die.
(This used to be commit efbcb0f74176058a74d7134dae4658b891fc6f16)
|
|
(This used to be commit b871ecbc2cf5ef2222e498f7819a06aa9082e155)
|
|
metze
(This used to be commit d02e1aa049f29590fbb5e08a32ee54177baa71a7)
|
|
Melcher. ldap_encode() now takes a memory context to use for the data
blob
(This used to be commit 09948a59336a7f02bf2b4605f2d4d886e65b85f2)
|