summaryrefslogtreecommitdiff
path: root/source4/rpc_server/drsuapi
AgeCommit message (Collapse)AuthorFilesLines
2010-09-16s4-drs: removed a debug print in repl secretAndrew Tridgell1-1/+0
2010-09-16s4-drs: get lpcfg_dnsdomain() instead of lpcfg_realm()Andrew Tridgell1-1/+1
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-16s4-drs: Wait DsReplicaSync for as long as it takes to completeKamen Mazdrashki1-2/+19
In case the caller wants sync execution, we should not cancel the call for internal timeout reason, but rather wait for its execution
2010-09-16s4-irpc: Add 'timeout' param for dcesrv_irpc_forward_rpc_call() callKamen Mazdrashki1-3/+7
It is to be used when caller wants to explicitly specify the timeout for the call
2010-09-15s4/fsmo: Remove empty new linesAnatoliy Atanasov1-6/+0
2010-09-10s4:getncchanges_change_master - also in this call "i" needs to be unsignedMatthias Dieter Wallnöfer1-1/+2
2010-09-10s4-drs: return DRSUAPI_EXOP_ERR_SUCCESS in extended_retKamen Mazdrashki1-0/+1
in case we are handling extended operation. It seems that windows accept both DRSUAPI_EXOP_ERR_SUCCESS and DRSUAPI_EXOP_ERR_NONE, but Samba is a little bit more picky on this.
2010-09-10s4-drs: Hanlde extended operations only onceKamen Mazdrashki1-40/+45
Most of extended operations I know of work like: 1. do extended operation 2. collect a set of objects to return and start replication cycle 3. continue returning object as we have no more to give This way we ensure we are doing 1. only once
2010-09-10s4-rpc: Added handling of fsmo role transfer to GetNCChangesNadezhda Ivanova1-0/+108
This adds support for DRSUAPI_EXOP_FSMO_REQ_ROLE, DRSUAPI_EXOP_FSMO_RID_REQ_ROLE and DRSUAPI_EXOP_FSMO_REQ_PDC. Developed in collaboration with Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
2010-09-07s4-drs: Dump exact error when failure occurs during DsReplicaUpdateRefs callKamen Mazdrashki1-6/+10
2010-09-03s4-drs: A quick fix for DRSUAPI_EXOP_FSMO_RID_ALLOC extended_op handlingKamen Mazdrashki1-0/+9
When DRSUAPI_EXOP_FSMO_RID_ALLOC extended op is handled in DsGetNCChanges() stub, we need to returned a well know set of object - see: [ms-adts], 3.1.1.5.1.7 With this hack we are going to return just objects modified during RID allocation procedure - i.e. "RID Manager$", "RID Set" for computer object and computer object itself. Which is a close approximation of what we are expected to return.
2010-08-23s4:getncchanges.c - fix some counter variable typesMatthias Dieter Wallnöfer1-3/+3
They should be "unsigned" since they count LDB objects. And also the SID array can be counted as "unsigned".
2010-08-23s4-drs: show the user sid that does the GetNCChanges callAndrew Tridgell1-2/+3
this is useful when debugging replication Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-23s4-drs: removed the warning on WRIT_REP being setAndrew Tridgell1-4/+2
we just need to clear this flag
2010-08-23s4:security Change struct security_token->sids from struct dom_sid * to ↵Andrew Bartlett2-3/+3
struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett
2010-08-20s4-drs: fixed the error code for EXOP_REPL_SECRET getncchanges callsAndrew Tridgell1-10/+8
when we deny a EXOP_REPL_SECRET call we should set the exop error code to NONE, and the main return code to WERR_DS_DRA_ACCESS_DENIED (based on observing windows server behaviour) Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-20s4-drs: bring us much closer to the docs for DRS secret replicationAndrew Tridgell1-9/+241
The rules for when a RODC can replicate secrets are: - it can always replicate its own acct - it can also replicate its krbtgt acct - it can't replicate other krbtgt accts - it can't replicate interdomain trust accounts - it can't replicate users in the denied group list - it can replicate users in the allowed group list otherwise it can't replicate Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-20s4-drs: implement RODC attribute filtering overrideAndrew Tridgell1-24/+50
When a RODC uses extended getncchanges operation DRSUAPI_EXOP_REPL_SECRET it gets an override on the ability to replicate the secret attributes. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-20s4-drs: added sam_ctx_system on DRS bind stateAndrew Tridgell2-0/+20
The getncchanges call needs to be able to access the sam as the system user for RODC clients. To do this it needs a sam_ctx connection with system credentials Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-19s4-drs: ATTIDs for deleted attributes should be based on msDs-IntId value if ↵Kamen Mazdrashki1-1/+2
it exists
2010-08-19s4-drs: GetNCChanges() to return correct (in AD-way) ATTIDsKamen Mazdrashki1-3/+16
Depending on which NC is being replicated, GetNCChanges() returns either ATTID based on local prefixMap or msDs-IntId value of the attributeSchema class for the attribute being replicated. If set, msDs-IntId value is always returned when replicating object form NC other than Schema NC. Objects in Schema NC replica always use prefixMap based ATTIDs.
2010-08-18s4:security Remove use of user_sid and group_sid from struct security_tokenAndrew Bartlett2-3/+3
This makes the structure more like Samba3's NT_USER_TOKEN
2010-08-17s4-drs: allow getncchanges from RODC with WRIT_REP setAndrew Tridgell1-2/+2
w2k8r2 is setting this bit as a RODC. Instead of refusing the replication, we now remove the bit from req8, which means other places in the code that check this bit can stay the same Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-17s4-drs: added domain_sid to DRS security checksAndrew Tridgell6-10/+14
we need the domain_sid to determine if the account is a RODC for our domain Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-07-16s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell4-8/+8
this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-09s4:drsuapi: don't return all linked attributes at the same timeStefan Metzmacher1-8/+51
Windows gives them in chunks, but I don't know the correct rule to calculate the chunk size. For now I'll use 1500 as the max size. Windows isn't happy when it gets ~ 100000 linked attributes in one response. It corrupts its directory index and later moves some objects to the LostAndFound folder. metze
2010-07-08s4:drsuapi RPC server - "result_site_name" - fix variable denominationMatthias Dieter Wallnöfer1-3/+3
2010-06-28s4:dcesrv_drsuapi.c - fix a counter variableMatthias Dieter Wallnöfer1-2/+1
2010-06-26s4:rpc_server/drsuapi/drsutil.c - remove unreachable codeMatthias Dieter Wallnöfer1-1/+0
2010-05-18Finish removal of iconv_convenience in public API's.Jelmer Vernooij1-2/+1
2010-04-29s4/rodc: RODC FAS initial implementationAnatoliy Atanasov1-11/+10
2010-04-28s4/dsdb: dsdb_validate_invocation_id() should validate by objectGUIDKamen Mazdrashki1-4/+4
This function is used in DRSUpdateRefs() implementation where we get DSA's objectGUID rather than invocationId
2010-04-27s4-getncchanges: honor DRSUAPI_DRS_REF_GCSPNAndrew Tridgell1-1/+3
this is an alternative way of establishing repsTo
2010-04-26s4-drs: don't send uninstantiated objects in getncchangesAndrew Tridgell1-0/+5
This includes deleted partitions Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-22s4-drs: validate RODC credentials via the user_sidAndrew Tridgell1-27/+12
This checks whether a replication client is a RODC by inclusion of the the DOMAIN_RID_ENTERPRISE_READONLY_DCS sid in the users token Pair-Programmed-With: Rusty Russell <rusty@samba.org> Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-22s4-drs: added new SECURITY_RO_DOMAIN_CONTROLLER levelAndrew Tridgell5-14/+34
This is used for allowing operations by RODCs, and denying them operations that should only be allowed for a full DC This required a new domain_sid argument to security_session_user_level() Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Rusty Russell <rusty@samba.org>
2010-04-22s4-drs: only allow replication with the right invocationIdAndrew Tridgell1-1/+20
Non-administrator replication checks the invocationId matches the sid of the user token being used Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-22s4-drs: Do not send RODC filtered attributes to RODCs on GetNCChanges replyFernando J V da Silva1-0/+14
During building an object to send it on a GetNCChanges reply, it checks the attributes and if any of them is a RODC filtered and the recipient is a RODC, then such attribute is not sent. Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-22s4-drs: samdb_is_rodc() function and new samdb_rodc() functionFernando J V da Silva1-1/+13
This patch creates the samdb_is_rodc() function, which looks for the NTDSDSA object for a DC that has a specific invocationId and if msDS-isRODC is present on such object and it is TRUE, then consider the DC as a RODC. The new samdb_rodc() function uses the samdb_is_rodc() function for the local server. Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-13Revert "s4:prefer "samdb_*_dn" basedn calls over the "ldb_get_*_dn" functions"Matthias Dieter Wallnöfer1-2/+2
We should use the "ldb_get_*_basedn" calls since they are available in the LDB library.
2010-03-24s4/drs: drsuapi_DsAddEntry_ErrData propagate structure def in source codeKamen Mazdrashki1-4/+4
2010-03-16s4:dsdb Change dsdb_get_schema() callers to use new talloc argumentAndrew Bartlett1-2/+2
This choses an appropriate talloc context to attach the schema too, long enough lived to ensure it does not go away before the operation compleates. Andrew Bartlett
2010-03-11s4:rpc_server/drsuapi: don't reset [out,ref] pointer to NULL in ↵Stefan Metzmacher1-1/+0
dcesrv_drsuapi_DsRemoveDSServer() metze
2010-03-11s4/rpc_server Don't segfault over replPropertyMetaData contentsAndrew Bartlett1-0/+7
The replPropertyMetaData may contain attrid values that we don't yet have in the local schema. We need to deal with this - it is a serious error, but we should not segfault. Andrew Bartlett
2010-03-05s4:drsuapi RPC - Change also here counters to "unsigned"Matthias Dieter Wallnöfer3-7/+8
No need to have "signed" counters at those places.
2010-03-01s4/rodc: Implement samdb_rodc with ldb contextAnatoliy Atanasov1-1/+1
2010-02-16s4-dsdb: replace dsdb_modify_permissive() with dsdb_modify() and dsdb_flagsAndrew Tridgell2-2/+4
2010-02-15s4-drs: replace manual checks with dsdb_modify_permissive()Andrew Tridgell1-32/+1
Much simpler to use the permissive control instead of manually munging the SPN list.
2010-02-15s4-drs: use a permissive modify in addentryAndrew Tridgell1-1/+1
It is not an error if entries already exist.
2010-02-13s4: use LDB_TYPESAFE_QSORT() instead of ldb_qsort()Andrew Tridgell1-3/+2