Age | Commit message (Collapse) | Author | Files | Lines |
|
The merged I plan in this area require spliting security.h into
two header files, a common header and a session.h for the
remaining source4-specific code.
Andrew Bartlett
|
|
This will allow it to replace functions in source3 that use debug classes.
Andrew Bartlett
|
|
We intend to see always all objects with the "show_deleted" control specified.
To see also recycled objects (beginning with 2008_R2 function level) we need to
use the new "show_recycled" control.
As far as I see this is only internal code and therefore we don't run into
problems if we do substitute it.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
this checks securiity on the NC root of the specified naming context
|
|
this will be used outside of the drs server.
This also fixes the handling of the ndr_size elements of the
drs_ObjectIdentifier
|
|
It takes a security token, an ldb_context, and the desired CAR and checks
if the principal has this CAR granted
|
|
we need the domain_sid to determine if the account is a RODC for our
domain
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
This is used for allowing operations by RODCs, and denying them
operations that should only be allowed for a full DC
This required a new domain_sid argument to
security_session_user_level()
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Rusty Russell <rusty@samba.org>
|
|
show the security token of the user at debug level 2
|
|
the sorting is quite delicate, and easier to get right in the
getncchanges code
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
We need this for the linked attribute meta data
|
|
|
|
When we indicate that a getncchanges request is not complete, we set
the more_data flag to true in the response. The client usually then
asks for the next block of data. If the client decides it wants to
skip that replication and do a different replication then we need to
make sure that the next call is in fact a continuation of the existing
call, and not a new call.
This relies on returning the results sorted by uSNChanged, as the
client uses the tmp_highest_usn in each result to see if progress is
being made.
|
|
|
|
|
|
Even though we don't create deleted objects ourselves yet, we need to
pass along deleted objects we receive from other replication partners
|
|
getncchanges
When this flag is specified in the request these attributes are treated as
secret: currentValue, dBCSPwd, initialAuthIncoming, initialAuthOutgoing,
lmPwdHistory, ntPwdHistory, priorValue, supplementalCredentials,
trustAuthIncoming, trustAuthOutgoing, unicodePwd
Their value is changed to NULL and the meta_data.originating_change_time to 0
|
|
|
|
|
|
This might help the windows client with ordered requests. Later we
need to support the "ancestors" mode flag.
|
|
|
|
|
|
There is also an option to disable the security check
by specifying in the smb.conf file:
drs:disable_sec_check = true
|
|
|
|
These will get quite complex eventually, I think we are better
separating them so the code is a bit easier to follow
|
|
This call is made by DCs to tell us we should notify them of directory
changes
|