Age | Commit message (Collapse) | Author | Files | Lines |
|
when a DC has the GUID_DRS_GET_FILTERED_ATTRIBUTES right on a NC, we
need to allow it to replicate if all the attributes it is asking for
are in the GC partial attribute set
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Tue Sep 20 13:47:38 CEST 2011 on sn-devel-104
|
|
|
|
loops when joining s4 domains
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Wed Jul 27 00:46:56 CEST 2011 on sn-devel-104
|
|
When an object is deleted, link pointed to it are marked as inactive.
When the same object is purged we do not remmove the link pointed to it
(we can't know them) so they stay in the database, it turns to be a
problem for Windows 2008.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
this improved the logging of bugs related to linked attribute
replication
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Fri Jun 10 03:26:21 CEST 2011 on sn-devel-104
|
|
upgraded links can be missing the RMD_ADDTIME field
|
|
sub-function "forget" to do this
|
|
Right now it is solely based on function that handles objects
in normal DsGetNCChanges calls.
|
|
|
|
|
|
in case that destination_dsa_guid is not valid
|
|
"ldb_dn_validate" is NULL-safe and does the check implicitly.
Reviewed by: Tridge
|
|
than once
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Feb 15 09:46:55 CET 2011 on sn-devel-104
|
|
|
|
don't use it
metze
|
|
metze
|
|
DSDB_SECRET_ATTRIBUTES
We should replicate all secret attributes back to other DCs.
metze
|
|
we now keep just a list of GUIDs around between getncchanges calls,
instead of an entire db search. This makes the overhead of having a
pending getncchanges call much smaller.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Those values are actually ATTID values and such, they are used
for ATTIDs for Attributes, Classes and Syntaxes.
|
|
"samdb_result_uint64" and "samdb_result_string"
We have ldb_msg_find_attr_as_* calls which do exactly the same. Therefore this
reduces only code redundancies.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
The merged I plan in this area require spliting security.h into
two header files, a common header and a session.h for the
remaining source4-specific code.
Andrew Bartlett
|
|
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
added a simple mapping from req8
|
|
This implements partial attribute set checking on getncchanges. If the
client sends a partial_attribute_set then we only return the specified
attributes.
This also implements access checking on the NC root for the access
right GUIDs for requests with and without reveal secrets
Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
|
|
this extended getncchanges operation replicates a single object
|
|
this allows for replication by GUID or SID
|
|
quieten make test a little
|
|
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Mon Sep 27 04:54:43 UTC 2010 on sn-devel-104
|
|
this should reduce some of the clutter in make test
|
|
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
|
|
in case we are handling extended operation.
It seems that windows accept both DRSUAPI_EXOP_ERR_SUCCESS
and DRSUAPI_EXOP_ERR_NONE, but Samba is a little bit
more picky on this.
|
|
Most of extended operations I know of work like:
1. do extended operation
2. collect a set of objects to return and start replication cycle
3. continue returning object as we have no more to give
This way we ensure we are doing 1. only once
|
|
This adds support for DRSUAPI_EXOP_FSMO_REQ_ROLE, DRSUAPI_EXOP_FSMO_RID_REQ_ROLE
and DRSUAPI_EXOP_FSMO_REQ_PDC.
Developed in collaboration with Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
|
|
When DRSUAPI_EXOP_FSMO_RID_ALLOC extended op is handled
in DsGetNCChanges() stub, we need to returned a well know set of
object - see: [ms-adts], 3.1.1.5.1.7
With this hack we are going to return just objects modified
during RID allocation procedure - i.e. "RID Manager$", "RID Set" for
computer object and computer object itself.
Which is a close approximation of what we are expected to return.
|
|
They should be "unsigned" since they count LDB objects. And also the SID array
can be counted as "unsigned".
|
|
this is useful when debugging replication
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
we just need to clear this flag
|
|
struct dom_sid
This makes the structure much more like NT_USER_TOKEN in the source3/
code. (The remaining changes are that privilages still need to be merged)
Andrew Bartlett
|
|
when we deny a EXOP_REPL_SECRET call we should set the exop error code
to NONE, and the main return code to WERR_DS_DRA_ACCESS_DENIED (based
on observing windows server behaviour)
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
The rules for when a RODC can replicate secrets are:
- it can always replicate its own acct
- it can also replicate its krbtgt acct
- it can't replicate other krbtgt accts
- it can't replicate interdomain trust accounts
- it can't replicate users in the denied group list
- it can replicate users in the allowed group list
otherwise it can't replicate
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
When a RODC uses extended getncchanges operation
DRSUAPI_EXOP_REPL_SECRET it gets an override on the ability to
replicate the secret attributes.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
it exists
|
|
Depending on which NC is being replicated, GetNCChanges() returns
either ATTID based on local prefixMap or msDs-IntId value of
the attributeSchema class for the attribute being replicated.
If set, msDs-IntId value is always returned when replicating
object form NC other than Schema NC.
Objects in Schema NC replica always use prefixMap based ATTIDs.
|
|
This makes the structure more like Samba3's NT_USER_TOKEN
|
|
w2k8r2 is setting this bit as a RODC. Instead of refusing the
replication, we now remove the bit from req8, which means other places
in the code that check this bit can stay the same
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
we need the domain_sid to determine if the account is a RODC for our
domain
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|