Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
in case we are handling extended operation.
It seems that windows accept both DRSUAPI_EXOP_ERR_SUCCESS
and DRSUAPI_EXOP_ERR_NONE, but Samba is a little bit
more picky on this.
|
|
Most of extended operations I know of work like:
1. do extended operation
2. collect a set of objects to return and start replication cycle
3. continue returning object as we have no more to give
This way we ensure we are doing 1. only once
|
|
This adds support for DRSUAPI_EXOP_FSMO_REQ_ROLE, DRSUAPI_EXOP_FSMO_RID_REQ_ROLE
and DRSUAPI_EXOP_FSMO_REQ_PDC.
Developed in collaboration with Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
|
|
|
|
metze
|
|
dcesrv_irpc_forward_rpc_call()
metze
|
|
When DRSUAPI_EXOP_FSMO_RID_ALLOC extended op is handled
in DsGetNCChanges() stub, we need to returned a well know set of
object - see: [ms-adts], 3.1.1.5.1.7
With this hack we are going to return just objects modified
during RID allocation procedure - i.e. "RID Manager$", "RID Set" for
computer object and computer object itself.
Which is a close approximation of what we are expected to return.
|
|
Also remove bogus trustCurrentPasswords struct which we just had because our IDL
was incorrect.
Guenther
|
|
They should be "unsigned" since they count LDB objects. And also the SID array
can be counted as "unsigned".
|
|
this is useful when debugging replication
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
we just need to clear this flag
|
|
struct dom_sid
This makes the structure much more like NT_USER_TOKEN in the source3/
code. (The remaining changes are that privilages still need to be merged)
Andrew Bartlett
|
|
metze
|
|
when we deny a EXOP_REPL_SECRET call we should set the exop error code
to NONE, and the main return code to WERR_DS_DRA_ACCESS_DENIED (based
on observing windows server behaviour)
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
The rules for when a RODC can replicate secrets are:
- it can always replicate its own acct
- it can also replicate its krbtgt acct
- it can't replicate other krbtgt accts
- it can't replicate interdomain trust accounts
- it can't replicate users in the denied group list
- it can replicate users in the allowed group list
otherwise it can't replicate
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
When a RODC uses extended getncchanges operation
DRSUAPI_EXOP_REPL_SECRET it gets an override on the ability to
replicate the secret attributes.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
The getncchanges call needs to be able to access the sam as the system
user for RODC clients. To do this it needs a sam_ctx connection with
system credentials
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
it exists
|
|
Depending on which NC is being replicated, GetNCChanges() returns
either ATTID based on local prefixMap or msDs-IntId value of
the attributeSchema class for the attribute being replicated.
If set, msDs-IntId value is always returned when replicating
object form NC other than Schema NC.
Objects in Schema NC replica always use prefixMap based ATTIDs.
|
|
This makes the structure more like Samba3's NT_USER_TOKEN
|
|
here the new password change syntax
|
|
Now it's finally possible that the user can change his password with a DSDB
connection using his credentials.
|
|
password sets
|
|
This was added as we are occasionally getting an encrypted unknown
netlogon call, and I'm having trouble looking at it in wireshark
|
|
This seems to be equivalent to SEC_CHAN_BDC, but for RODCs
|
|
w2k8r2 is setting this bit as a RODC. Instead of refusing the
replication, we now remove the bit from req8, which means other places
in the code that check this bit can stay the same
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
we need the domain_sid to determine if the account is a RODC for our
domain
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
The flags field of message elements is part of a set of flags. We had
LDB_FLAG_MOD_MASK for extracting the type, but it was only rarely
being used (only 1 call used it correctly). This adds
LDB_FLAG_MOD_MASK() to make it more obvious what is going on.
This will allow us to use some of the other flags bits for internal
markers on elements
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This also changes the calling convention slightly - we should always
allocate this with talloc_zero() to allow some elements to be
optional. Some elements may only make sense in Samba3, which I hope
will use this common structure.
Andrew Bartlett
|
|
Thanks to Metze for spotting this
|
|
Brad please check!
|
|
this gets replaced by vnum from the build rule
|
|
OpenChange needs this for dcerpc_register_ep_server()
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This fixes the build with --nonshared-binary=smbtorture,
as use by the source3/ make test.
metze
|
|
|
|
As ekacnet pointed out on the mailing list we don't need to do a delete if we
(re)set the values afterwards - only if we don't set any new ones.
|
|
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Windows gives them in chunks, but I don't know the correct
rule to calculate the chunk size.
For now I'll use 1500 as the max size.
Windows isn't happy when it gets ~ 100000 linked attributes in one
response. It corrupts its directory index and later moves some objects
to the LostAndFound folder.
metze
|
|
|
|
It has to consider the "password_expires" flag to known if the "pwdLastSet" has
to be updated or to be resetted.
|
|
on level 21
Taken from the s3 server code
|
|
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Taken from the s3 implementation.
|
|
Spotted by the Solaris 10 compiler
|
|
|
|
- Return always "NT_STATUS_OK" on success
- Remove "talloc_free"s on handles since the frees are automatically performed by
the DCE/RPC server code
|
|
Behaviour as the torture SAMR passwords tests show.
|
|
Taken from s3
|
|
from s3 to s4
|