Age | Commit message (Collapse) | Author | Files | Lines |
|
The merged I plan in this area require spliting security.h into
two header files, a common header and a session.h for the
remaining source4-specific code.
Andrew Bartlett
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
this is needed for RODC clients calling updaterefs
|
|
|
|
|
|
struct dom_sid
This makes the structure much more like NT_USER_TOKEN in the source3/
code. (The remaining changes are that privilages still need to be merged)
Andrew Bartlett
|
|
This makes the structure more like Samba3's NT_USER_TOKEN
|
|
we need the domain_sid to determine if the account is a RODC for our
domain
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This function is used in DRSUpdateRefs() implementation where we
get DSA's objectGUID rather than invocationId
|
|
This is used for allowing operations by RODCs, and denying them
operations that should only be allowed for a full DC
This required a new domain_sid argument to
security_session_user_level()
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Rusty Russell <rusty@samba.org>
|
|
No need to have "signed" counters at those places.
|
|
|
|
w2k8-r2 in dcpromo asks for a delete+add during its initial join.
|
|
|
|
The DsUpdateRefs calls takes a set of flags that indicates if the
server should ignore specific add/delete error codes.
This patch also exposes the core UpdateRefs call into a public
function, so that it can be called from DsGetNCChanges
|
|
Now that the bind opens samdb with the right credentials, we no longer
need the re-open in updaterefs and getncchanges
|
|
There is also an option to disable the security check
by specifying in the smb.conf file:
drs:disable_sec_check = true
|
|
|
|
The key DRS calls should only be allowed by administrators or domain
controllers
|
|
We now have dsdb_loadreps() and dsdb_savereps()
|
|
Our vampire code sends a zero GUID in the updaterefs calls. Windows
seems to ignore the GUID and use the DN in the naming context instead,
so I have changed our UpdateRefs server implementation to do the same.
With this change we can now vampire from s4<->s4 successfully! Now to
see if all the attributes came across correctly.
|
|
|
|
These will get quite complex eventually, I think we are better
separating them so the code is a bit easier to follow
|
|
Metze pointed out what the windows tool ldp.exe will examine repsTo
attributes on remote DCs, so we do in fact need to use the same format
that windows uses. This patch changes the server side implementation
of UpdateRefs to use the windows format
|
|
This call is made by DCs to tell us we should notify them of directory
changes
|