Age | Commit message (Collapse) | Author | Files | Lines |
|
password call
This implements a very basic method for password validation using my new
"samdb_check_password" call.
|
|
We always steal the state to the policy handle on success,
but untill then keep it on the short term context.
metze
|
|
This allows us to reuse a ldb context if it is open twice, instead
of going through the expensive process of a full ldb open. We can
reuse it if all of the parameters are the same.
The change relies on callers using talloc_unlink() or free of a parent
to close a ldb context.
|
|
This patch adds a system_session cache, preventing us from having to
recreate it on every ldb open, and allowing us to detect when the same
session is being used in ldb_wrap
|
|
|
|
|
|
If we don't talloc_free the handle, we leak the memory onto the long-term
context.
Andrew Bartlett
|
|
The user entry is only required for this function, so use
mem_ctx to hold it.
Andrew Bartlett
|
|
Andrew Bartlett
|
|
Found by RPC-LSA-TRUSTED-DOMAIN torture test.
Guenther
|
|
|
|
|
|
and supported encryption types)
This is simply for better performance (no functional change).
|
|
|
|
We were storing privileges in the sam, which was OK when we were a
standalone DC, but is no good when we replicate with a windows DC.
This moves the privileges to a separate (local) database
|
|
"dcerpc_generic_session_key"
I don't think that this code needs to exist identically on the server and on the
client side. This patch leaves it on the client side (dcerpc lib) and calls it
from the server.
|
|
The DRSUAPI_DRS_ADD_REF flag tells the DRS server to run an UpdateRefs
call on behalf of the client after the DsGetNCChanges call. The lack
of support for this option may explain why the repsTo attribute was
not being created for w2k8-r2 replication partners.
|
|
The DsUpdateRefs calls takes a set of flags that indicates if the
server should ignore specific add/delete error codes.
This patch also exposes the core UpdateRefs call into a public
function, so that it can be called from DsGetNCChanges
|
|
Check the validity of the requested options in DsGetNCChanges
|
|
For KERBEROS applications the realm should be upcase (function "lp_realm") but
for DNS ones it should be used lowcase (function "lp_dnsdomain"). This patch
implements the use of both in the right way.
|
|
|
|
In this code part under certain circumstances we can end up with an empty message.
Since our new behaviour denies them (like the real AD) we need to bypass them
on LDB modify calls.
|
|
|
|
Make more use of constants and add some braces around "if" blocks
|
|
When we indicate that a getncchanges request is not complete, we set
the more_data flag to true in the response. The client usually then
asks for the next block of data. If the client decides it wants to
skip that replication and do a different replication then we need to
make sure that the next call is in fact a continuation of the existing
call, and not a new call.
This relies on returning the results sorted by uSNChanged, as the
client uses the tmp_highest_usn in each result to see if progress is
being made.
|
|
|
|
|
|
|
|
Now that the bind opens samdb with the right credentials, we no longer
need the re-open in updaterefs and getncchanges
|
|
|
|
When a DC connects to DRS, open the samdb with system session
credentials, so that we don't have to re-open it each time on other
calls.
|
|
|
|
In the srvsvc code for s4 (NTVFS module) there exists a call to "ntvfs_connect"
which is performed with a totally wrong argument. Since I'm not able to fix
this, I commented it out and added a "FIXME" comment.
|
|
mdw is working on the correct call to check the password strength
|
|
Update to use the new DS_DNS_FOREST_ROOT name, which makes it clearer
what this bit means (according to MS-ADTS doc)
|
|
|
|
|
|
- always fetch parentGUID from databases, don't rely on parentGUID in
attributes
- re-fetch nc root mesages to avoid the problem of dual messages for
roots
- support returning messages a chunk at a time, using max_object_count
from request
|
|
|
|
|
|
Use msg->elements for the new element values
|
|
Even though we don't create deleted objects ourselves yet, we need to
pass along deleted objects we receive from other replication partners
|
|
getncchanges
When this flag is specified in the request these attributes are treated as
secret: currentValue, dBCSPwd, initialAuthIncoming, initialAuthOutgoing,
lmPwdHistory, ntPwdHistory, priorValue, supplementalCredentials,
trustAuthIncoming, trustAuthOutgoing, unicodePwd
Their value is changed to NULL and the meta_data.originating_change_time to 0
|
|
When this flag is specified in the request we should return
for ncRoot only and so scope of search is LDB_SCOPE_BASE.
|
|
When this flag is specified in the request we shouldn't use the
uptodateness vector in the request.
|
|
|
|
In DsGetNCChanges we need to fill in the parentGUID and objectGUID of
each object, plus we need to filter out the rDN from the meta data,
and always send the instanceType
|
|
|
|
This seems to be what w2k8 does
|
|
|