summaryrefslogtreecommitdiff
path: root/source4
AgeCommit message (Collapse)AuthorFilesLines
2012-07-22s4 rfc2307 gids mapping fixSergey Urushkin1-7/+8
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-07-19Move source4/smbd/pidfile into lib/util in preparation for making it in common.Jeremy Allison3-139/+2
2012-07-19s4-param: Remove unused "idmap trusted only"Andrew Bartlett1-6/+0
When we revamp the idmap layer, we will end up just following the s3 options, and this option is not used there either. Andrew Bartlett Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
2012-07-19s4-torture: Move check of map-to-guest above SID list checkAndrew Bartlett1-13/+13
This makes it easier to interpret failing output. Andrew Bartlett
2012-07-19s4-torture: Allow unix.whoami to test against a member serverAndrew Bartlett1-11/+55
This compares only the domain SIDs betwen the two servers, rather than the full token, as well known and other SIDs may be added locally in both cases. This also expands the test environments this is run against to verify this between our AD server and domain members. Andrew Bartlett
2012-07-19s4-torture: Also print GID values in whoami testAndrew Bartlett1-0/+3
2012-07-19torture: Print SIDs as additional debug output in unix.whoamiChristof Schmitt1-0/+4
2012-07-18s4-lib/tls: Try socket_send() multiple times to send partial packetsAndrew Bartlett1-13/+26
This works around an artificial limitation in socket_wrapper that breaks some versions of GnuTLS when we return a short write. Instead, keep pushing until the OS will not take it. The correct solution will be to use tls_tstream, but the client code for this is not yet tested and needs the ldap client layer changed to use it. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Jul 18 11:23:55 CEST 2012 on sn-devel-104
2012-07-18s4-librpc: Ensure we do not call call the decrpc timeout handler during ↵Andrew Bartlett3-5/+39
gensec_update() This avoids a situation where we could destroy pointers on the stack due to a nested event loop. This is certainly not a final, generic solution, but it is a minimal change while we work to make gensec and gensec_gssapi async. Andrew Bartlett
2012-07-18s4-dbcheck: Check for and correct incorrect instanceType valuesAndrew Bartlett1-0/+45
2012-07-18dsdb: Allocate new OID to allow updates of a read-only replicaAndrew Bartlett5-5/+15
Normally this would be a very bad idea, but the specific case of fixing the instanceType is the only case where this makes sense. Andrew Bartlett
2012-07-18s4-dsdb: Allow dbcheck to correct an incorrect instanceTypeAndrew Bartlett1-3/+5
2012-07-18s4-dsdb: Ensure we never write read-only objects onto a read-write replicaAndrew Bartlett1-1/+8
We should prevent this much further up the stack, but at least add a choke at this point for now. Additionally, this avoids administrator-forced replications causing considerable damange to the directory. Andrew Bartlett
2012-07-18source4/torture: add talloc_stackframe()Rusty Russell1-0/+3
We need a stackframe to call lp_load(). Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Autobuild-User(master): Rusty Russell <rusty@rustcorp.com.au> Autobuild-Date(master): Wed Jul 18 09:31:07 CEST 2012 on sn-devel-104
2012-07-17s4-auth: Make sure we use the correct credential state.Andreas Schneider1-1/+6
If we create a copy of the credential state we miss updates to the credentials. To establish a netlogon schannel connection we create client credentials and authenticate with them using dcerpc_netr_ServerAuthenticate2() For this we call netlogon_creds_client_authenticator() which increases the sequence number and steps the credentials. Lets assume the sequence number is 1002. After a successful authentication we get the server credentials and we send bind a auth request with the received creds. This sets up gensec and the gensec schannel module created a copy of the client creds and stores it in the schannel auth state. So the creds stored in gensec have the sequence number 1002. After that we continue and need the client credentials to call dcerpc_netr_LogonGetCapabilities() to verify the connection. So we need to increase the sequence number of the credentials to 1004 and step the credentials to the next state. The server always does the same and everything is just fine here. The connection is established and we want to do another netlogon call. So we get the creds from gensec and want to do a netlogon call e.g. dcerpc_netr_SamLogonWithFlags. We get the needed creds from gensec. The sequence number is 1002 and we talk to the server. The server is already ahead cause we are already at sequence number 1004 and the server expects it to be 1006. So the server gives us ACCESS_DENIED cause we use a copy in gensec. Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17s4-librpc: Add capabilities check for AES encrypted connections.Andreas Schneider1-1/+110
Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17s4-torture: Improve samlogon test.Andreas Schneider1-0/+8
2012-07-17s4-torture: Add DCERPC_SCHANNEL_AES tests.Andreas Schneider1-1/+5
Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17s4:rpc_server/netlogon: add support for AES based netlogon schannelStefan Metzmacher1-0/+4
metze Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17s4:librpc/rpc: add DCERPC_SCHANNEL_AES supportStefan Metzmacher1-2/+15
metze Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17s4:rpc_server/netlogon: only return STRONG_KEYS if the client asked for itStefan Metzmacher1-26/+31
metze Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17s4:rpc_server/netlogon: implement netr_LogonGetCapabilitiesStefan Metzmacher1-2/+20
This is also needed to support AES. metze Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17s4:librpc/rpc/dcerpc_schannel: just append NETLOGON_NEG_RODC_PASSTHROUGH as rodcStefan Metzmacher1-4/+5
The RODC stuff doesn't depend on the schannel algorithm. metze Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17s4:librpc/rpc/dcerpc_schannel: rework downgrade logicStefan Metzmacher1-5/+38
metze Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-15s4-param: Use a unique header nameAndrew Bartlett1-3/+3
2012-07-13s4-provision: Provide YP/NIS subtree to allow ADUC to see and set rfc2307 attrsGeza Gemes3-2/+536
When provisioning with --use_rfc2307=yes populate the subtree: CN=ypServ30,CN=RpcServices,CN=System,${DOMAINDN} This makes it possible to manipulate the posix attributes via ADUC (commit message adjusted by abartlet) Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-07-13s4:registry:regdiff: use existing talloc context for the event contextMichael Adam1-1/+1
Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Fri Jul 13 02:51:44 CEST 2012 on sn-devel-104
2012-07-13s4:registry:regdiff: add TALLOC_CTX * argument to open_backend()Michael Adam1-6/+7
2012-07-13s4:registry: add a TALLOC_CTX argument to reg_open_remote()Michael Adam4-5/+7
2012-07-06s4-torture: add ntprinting ndr operations testsuite.Günther Deschner3-1/+442
Guenther Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Fri Jul 6 20:55:26 CEST 2012 on sn-devel-104
2012-07-06s4-selftest: do a dbcheck on our two vampire DCsAndrew Bartlett1-1/+1
However, due to using --domain-critical-only we have to knownfail the vampire DC here, as we do not fill in the backlinks on non-critical objects correctly. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Jul 6 16:54:10 CEST 2012 on sn-devel-104
2012-07-06s4-dbcheck: Check for an object without a parentAndrew Bartlett1-0/+44
Such objects are then moved to the appropriate LostAndFound container, just as they would be if replicated. Andrew Bartlett
2012-07-06s4-dsdb: Remove unused variables in py_dsdb_get_partitions_dnAndrew Bartlett1-3/+0
2012-07-06pydsdb: Add bindings for dsdb_wellknown_dn()Andrew Bartlett2-0/+38
2012-07-06s4-pydsdb: Add bindings for dsdb_find_nc_root()Andrew Bartlett2-0/+26
2012-07-06s4-pydsdb: Improve PyErr_LDB_{DN,}_OR_RAISE to use py_check_dcerpc_typeAndrew Bartlett1-2/+9
This checks the type rather than just dereferencing the pointer. Andrew Bartlett
2012-07-06auth: Common function for retrieving PAC_LOGIN_INFO from PACChristof Schmitt2-45/+0
Several functions use the same logic as kerberos_pac_logon_info. Move kerberos_pac_logon_info to common code and reuse it to remove the code duplication. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-07-06s4-lsarpc: DCERPC_FAULT_ACCESS_DENIED for tcpAndreas Schneider1-0/+10
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Fri Jul 6 11:50:40 CEST 2012 on sn-devel-104
2012-07-06s4-lsarpc: DCERPC_FAULT_ACCESS_DENIED for npAndreas Schneider3-0/+45
2012-07-06s4-lsarpc: Restrict LookupSids3 to crypto connections only.Andreas Schneider1-0/+10
2012-07-06s4-lsarpc: Restrict LookupNames4 to crypto connections only.Andreas Schneider1-0/+10
2012-07-06s4-lsarpc: Don't call lsa_OpenPolicy2 in lsa_LookupSids3.Andreas Schneider1-46/+48
2012-07-06s4-lsaprc: Don't call lsa_OpenPolicy2 in lsa_LookupNames4.Andreas Schneider1-49/+53
2012-07-06s4-selftest: Don't run lsarpc requiring a named pipe over tcpip.Andreas Schneider1-1/+1
2012-07-06s4-selftest: Don't plan lsa.secrets tests over tcpip.Andreas Schneider1-4/+4
These will only work over a named pipe or ncalrpc.
2012-07-06s4-libnet: Skip calling lsarpc functions over a wrong pipe.Andreas Schneider1-0/+9
2012-07-06s4-torture: Call lsarpc tests over the correct pipe.Andreas Schneider1-0/+6
2012-07-06s4-torture: Don't consider NONE_MAPPED an error in LookupSids3.Andreas Schneider1-3/+19
2012-07-06s4-torture: Don't consider NONE_MAPPED an error in LookupNames4.Andreas Schneider1-3/+15
2012-07-06s4-torture: Add a lsarpc test_GetUserName_fail function.Andreas Schneider1-0/+59