Age | Commit message (Collapse) | Author | Files | Lines |
|
Do not use policy_state->sam_ldb and trusted_domain_state->policy->sam_ldb
interchangeably all over the place. Just use sam_ldb everywhere and make the
code slightly more readable.
|
|
|
|
This was causing marshalling faults when we returned errors.
|
|
After looking at the s4 side of the (s)channel :) I found out that it makes
more sense to simply make it use the tdb based code than redo the same changes
done to s3 to simplify the interface.
Ldb is slow, to the point it needs haks to pre-open the db to speed it up, yet
that does not solve the lookup speed, with ldb it is always going to be slower.
Looking through the history it is evident that the schannel database doesn't
really need greate expanadability. And lookups are always done with a single
Key. This seem a perfet fit for tdb while ldb looks unnecessarily complicated.
The schannel database is not really a persistent one. It can be discared during
an upgrade without causing any real issue. all it contains is temproary session
data.
|
|
Make the initial schannel check logic more understandable.
Make it easy to define different policies depending on the caller's
security requirements (Integrity/Privacy/Both/None)
This is the same change applied to s3
|
|
Simo, I'm not really sure that those checks are valid. I read MS-NRPC section
3.5.4.1 about LOGONSRV_HANDLEs ("server_name" is of this type). There isn't
stated that the server name has necessarily to be in the DNS form and should
also be valid when it's NULL (if DCE server and client are the same - I don't
know if me make use of it in s4).
|
|
start implementing calls related to trusted domain information
|
|
|
|
Actually return trust relationships by searching the appropriate
entries in the SAM database.
Add checks and return the correct flags, type and attributes.
|
|
remove trailing spaces, tabs and blank lines
|
|
When searching for a trusted domain object to open, search also the DNS Name
attributes for a match. W2K8R2 uses the DNS domain if available.
|
|
|
|
stop this function from maiking my eyes bleed
|
|
This allows the interface version to be forwarded to the remote server
in the RPC proxy, both in the endpoint lookup and the subsequent bind.
Andrew Bartlett
|
|
By recording the association group the remote server assigned to our
proxied RPC connection, we can ensure we use the same value when the
client wishes to use it.
This isn't stored in a private pointer, as mapiproxy will want to use
this feature too.
Andrew Bartlett
|
|
The recent dcerpc padding changes made our padding relative to the
packet header, instead of the start of the stub. Surprisingly, this
broke w2k8r2 doing a dcpromo join to a s4 server. It seems that w2k8r2
is very fussy about the padding it gets in some circumstances.
|
|
This allows for controls to be added easily where they are needed.
|
|
|
|
Much simpler to use the permissive control instead of manually munging
the SPN list.
|
|
It is not an error if entries already exist.
|
|
One empty line is enough for code part divisions.
|
|
|
|
The last change broke net vampire against w2k8r2
|
|
Cope with a wider range of auth padding in dcerpc bind_ack and
alter_context packets. We now use a helper function that calculates
the right auth padding.
|
|
|
|
|
|
|
|
|
|
This should return NT_STATUS_INVALID_PARAMETER.
This makes samba pass the first part of the samr-lockout test.
This constraint is documented here for the samr server:
http://msdn.microsoft.com/en-us/library/cc245667%28PROT.10%29.aspx
MS-SAMR 3.1.1.6 Attribute Constraints for Originating Updates
and here for the ldap backend:
http://msdn.microsoft.com/en-us/library/cc223462(PROT.10).aspx
MS-ADTS 3.1.1.5.3.2 Constraints
So the check should actually be moved down into the backend,
i.e. under dsdb/samdb/ldb_modules - TODO..
Michael
|
|
The documentation shows that all these functions in fact use the same
flags variable type. To be consistent between functions, and to allow
easy reference to the WSPP docs, it is better for us to also use this
generic DrsOptions bitfield rather than one per operations.
|
|
Use --option=drs:disable_sec_check=true until the group membership bug
with the PAC is fixed.
|
|
in getncchanges and repl task we don't need the extra load and sort
any more.
|
|
|
|
show the security token of the user at debug level 2
|
|
|
|
infoType.
This patch includes the framework for the implementation of all infoTypes of
the DsGetReplInfo() call, and includes the implementation for the first one,
the DS_REPL_INFO_NEIGHBORS.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
|
|
This should match the MS-SAMR documentation (section 3.1.5.5.1.1)
|
|
|
|
|
|
for extended operations comparing to the ncRoot_dn is not correct
|
|
|
|
When a SPN is added and already exists, it is ignored. Similarly, when
a SPN is deleted and doesn't exist, it is ignored.
|
|
|
|
|
|
|
|
When a client supplied an uptodateness_vector, we can use it to filter
what objects we return. This greatly reduces the amount of replication
traffic between DCs.
|
|
the search happens on a different DN to the NC of the request, but the
reply is with the original NC
|
|
|
|
w2k8r2 wants these after a DCPROMO
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|