summaryrefslogtreecommitdiff
path: root/source4/rpc_server/drsuapi
AgeCommit message (Collapse)AuthorFilesLines
2010-09-03s4-drs: A quick fix for DRSUAPI_EXOP_FSMO_RID_ALLOC extended_op handlingKamen Mazdrashki1-0/+9
When DRSUAPI_EXOP_FSMO_RID_ALLOC extended op is handled in DsGetNCChanges() stub, we need to returned a well know set of object - see: [ms-adts], 3.1.1.5.1.7 With this hack we are going to return just objects modified during RID allocation procedure - i.e. "RID Manager$", "RID Set" for computer object and computer object itself. Which is a close approximation of what we are expected to return.
2010-08-23s4:getncchanges.c - fix some counter variable typesMatthias Dieter Wallnöfer1-3/+3
They should be "unsigned" since they count LDB objects. And also the SID array can be counted as "unsigned".
2010-08-23s4-drs: show the user sid that does the GetNCChanges callAndrew Tridgell1-2/+3
this is useful when debugging replication Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-23s4-drs: removed the warning on WRIT_REP being setAndrew Tridgell1-4/+2
we just need to clear this flag
2010-08-23s4:security Change struct security_token->sids from struct dom_sid * to ↵Andrew Bartlett2-3/+3
struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett
2010-08-20s4-drs: fixed the error code for EXOP_REPL_SECRET getncchanges callsAndrew Tridgell1-10/+8
when we deny a EXOP_REPL_SECRET call we should set the exop error code to NONE, and the main return code to WERR_DS_DRA_ACCESS_DENIED (based on observing windows server behaviour) Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-20s4-drs: bring us much closer to the docs for DRS secret replicationAndrew Tridgell1-9/+241
The rules for when a RODC can replicate secrets are: - it can always replicate its own acct - it can also replicate its krbtgt acct - it can't replicate other krbtgt accts - it can't replicate interdomain trust accounts - it can't replicate users in the denied group list - it can replicate users in the allowed group list otherwise it can't replicate Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-20s4-drs: implement RODC attribute filtering overrideAndrew Tridgell1-24/+50
When a RODC uses extended getncchanges operation DRSUAPI_EXOP_REPL_SECRET it gets an override on the ability to replicate the secret attributes. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-20s4-drs: added sam_ctx_system on DRS bind stateAndrew Tridgell2-0/+20
The getncchanges call needs to be able to access the sam as the system user for RODC clients. To do this it needs a sam_ctx connection with system credentials Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-19s4-drs: ATTIDs for deleted attributes should be based on msDs-IntId value if ↵Kamen Mazdrashki1-1/+2
it exists
2010-08-19s4-drs: GetNCChanges() to return correct (in AD-way) ATTIDsKamen Mazdrashki1-3/+16
Depending on which NC is being replicated, GetNCChanges() returns either ATTID based on local prefixMap or msDs-IntId value of the attributeSchema class for the attribute being replicated. If set, msDs-IntId value is always returned when replicating object form NC other than Schema NC. Objects in Schema NC replica always use prefixMap based ATTIDs.
2010-08-18s4:security Remove use of user_sid and group_sid from struct security_tokenAndrew Bartlett2-3/+3
This makes the structure more like Samba3's NT_USER_TOKEN
2010-08-17s4-drs: allow getncchanges from RODC with WRIT_REP setAndrew Tridgell1-2/+2
w2k8r2 is setting this bit as a RODC. Instead of refusing the replication, we now remove the bit from req8, which means other places in the code that check this bit can stay the same Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17s4-drs: added domain_sid to DRS security checksAndrew Tridgell6-10/+14
we need the domain_sid to determine if the account is a RODC for our domain Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-07-16s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell4-8/+8
this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-09s4:drsuapi: don't return all linked attributes at the same timeStefan Metzmacher1-8/+51
Windows gives them in chunks, but I don't know the correct rule to calculate the chunk size. For now I'll use 1500 as the max size. Windows isn't happy when it gets ~ 100000 linked attributes in one response. It corrupts its directory index and later moves some objects to the LostAndFound folder. metze
2010-07-08s4:drsuapi RPC server - "result_site_name" - fix variable denominationMatthias Dieter Wallnöfer1-3/+3
2010-06-28s4:dcesrv_drsuapi.c - fix a counter variableMatthias Dieter Wallnöfer1-2/+1
2010-06-26s4:rpc_server/drsuapi/drsutil.c - remove unreachable codeMatthias Dieter Wallnöfer1-1/+0
2010-05-18Finish removal of iconv_convenience in public API's.Jelmer Vernooij1-2/+1
2010-04-29s4/rodc: RODC FAS initial implementationAnatoliy Atanasov1-11/+10
2010-04-28s4/dsdb: dsdb_validate_invocation_id() should validate by objectGUIDKamen Mazdrashki1-4/+4
This function is used in DRSUpdateRefs() implementation where we get DSA's objectGUID rather than invocationId
2010-04-27s4-getncchanges: honor DRSUAPI_DRS_REF_GCSPNAndrew Tridgell1-1/+3
this is an alternative way of establishing repsTo
2010-04-26s4-drs: don't send uninstantiated objects in getncchangesAndrew Tridgell1-0/+5
This includes deleted partitions Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-22s4-drs: validate RODC credentials via the user_sidAndrew Tridgell1-27/+12
This checks whether a replication client is a RODC by inclusion of the the DOMAIN_RID_ENTERPRISE_READONLY_DCS sid in the users token Pair-Programmed-With: Rusty Russell <rusty@samba.org> Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-22s4-drs: added new SECURITY_RO_DOMAIN_CONTROLLER levelAndrew Tridgell5-14/+34
This is used for allowing operations by RODCs, and denying them operations that should only be allowed for a full DC This required a new domain_sid argument to security_session_user_level() Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Rusty Russell <rusty@samba.org>
2010-04-22s4-drs: only allow replication with the right invocationIdAndrew Tridgell1-1/+20
Non-administrator replication checks the invocationId matches the sid of the user token being used Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-22s4-drs: Do not send RODC filtered attributes to RODCs on GetNCChanges replyFernando J V da Silva1-0/+14
During building an object to send it on a GetNCChanges reply, it checks the attributes and if any of them is a RODC filtered and the recipient is a RODC, then such attribute is not sent. Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-22s4-drs: samdb_is_rodc() function and new samdb_rodc() functionFernando J V da Silva1-1/+13
This patch creates the samdb_is_rodc() function, which looks for the NTDSDSA object for a DC that has a specific invocationId and if msDS-isRODC is present on such object and it is TRUE, then consider the DC as a RODC. The new samdb_rodc() function uses the samdb_is_rodc() function for the local server. Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-13Revert "s4:prefer "samdb_*_dn" basedn calls over the "ldb_get_*_dn" functions"Matthias Dieter Wallnöfer1-2/+2
We should use the "ldb_get_*_basedn" calls since they are available in the LDB library.
2010-03-24s4/drs: drsuapi_DsAddEntry_ErrData propagate structure def in source codeKamen Mazdrashki1-4/+4
2010-03-16s4:dsdb Change dsdb_get_schema() callers to use new talloc argumentAndrew Bartlett1-2/+2
This choses an appropriate talloc context to attach the schema too, long enough lived to ensure it does not go away before the operation compleates. Andrew Bartlett
2010-03-11s4:rpc_server/drsuapi: don't reset [out,ref] pointer to NULL in ↵Stefan Metzmacher1-1/+0
dcesrv_drsuapi_DsRemoveDSServer() metze
2010-03-11s4/rpc_server Don't segfault over replPropertyMetaData contentsAndrew Bartlett1-0/+7
The replPropertyMetaData may contain attrid values that we don't yet have in the local schema. We need to deal with this - it is a serious error, but we should not segfault. Andrew Bartlett
2010-03-05s4:drsuapi RPC - Change also here counters to "unsigned"Matthias Dieter Wallnöfer3-7/+8
No need to have "signed" counters at those places.
2010-03-01s4/rodc: Implement samdb_rodc with ldb contextAnatoliy Atanasov1-1/+1
2010-02-16s4-dsdb: replace dsdb_modify_permissive() with dsdb_modify() and dsdb_flagsAndrew Tridgell2-2/+4
2010-02-15s4-drs: replace manual checks with dsdb_modify_permissive()Andrew Tridgell1-32/+1
Much simpler to use the permissive control instead of manually munging the SPN list.
2010-02-15s4-drs: use a permissive modify in addentryAndrew Tridgell1-1/+1
It is not an error if entries already exist.
2010-02-13s4: use LDB_TYPESAFE_QSORT() instead of ldb_qsort()Andrew Tridgell1-3/+2
2010-02-13s4-rpcserver: use TYPESAFE_QSORT() in rpc serversAndrew Tridgell1-14/+12
2010-02-05s4/drs: propagate DRS_ extension flags in code baseKamen Mazdrashki1-1/+1
2010-01-18idl: switched to using the WSPP names for the 'neighbour' DRS optionsAndrew Tridgell1-4/+4
The documentation shows that all these functions in fact use the same flags variable type. To be consistent between functions, and to allow easy reference to the WSPP docs, it is better for us to also use this generic DrsOptions bitfield rather than one per operations.
2010-01-17s4-drs: allow for security bypass for DsReplicaGetInfoAndrew Tridgell1-5/+9
Use --option=drs:disable_sec_check=true until the group membership bug with the PAC is fixed.
2010-01-16s4-dsdb: take advantage of local cursor and sortAndrew Tridgell1-34/+3
in getncchanges and repl task we don't need the extra load and sort any more.
2010-01-16s4-drs: use dsdb_load_udv_v2() in getncchanges codeAndrew Tridgell1-52/+6
2010-01-16s4-drs: better debug info when security checks failAndrew Tridgell1-3/+8
show the security token of the user at debug level 2
2010-01-16s4-dsdb: require admin access for DsReplicaGetInfoAndrew Tridgell1-5/+7
2010-01-16s4-drs: framework for DsGetReplInfo(), includes the DS_REPL_INFO_NEIGHBORS ↵Andrew Tridgell1-1/+11
infoType. This patch includes the framework for the implementation of all infoTypes of the DsGetReplInfo() call, and includes the implementation for the first one, the DS_REPL_INFO_NEIGHBORS. Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-01-16s4-drs: give better debug info on unsupported DRS callsAndrew Tridgell1-14/+20