Age | Commit message (Collapse) | Author | Files | Lines |
|
added a simple mapping from req8
|
|
New feature that enables LDAPCmp users to find unmatched or
missing ACEs in objects for the three naming contexts between
DCs in one domain (default) or different domains. Comparing
security descriptors is not the default action but attribute
compatison. So to activate the new mode there is --sd switch.
However there are two view modes to the new --sd action which
are 'section' (default) or 'collision'. In 'section' mode you
can only find differences connected to missing or value
unmatched ACEs but not disorder unmatch if ACE values and count
are the same. All of the mentioned differences plus disorder
ACE unmatch you can observe under 'collision' view however
it is more verbose.
Signed-off-by: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
|
|
|
|
|
|
we use the ADD_REF bit in getncchanges instead
Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
|
|
we were incorrectly avoiding a getncchanges when WRIT_REP was not set
Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
|
|
if our calculated replica_flags doesn't match the ones in our repsFrom
then update it
Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
|
|
|
|
behaviour in EnumPrinter and GetPrinter calls.
Guenther
|
|
when we setup the krbtgt_NNNN account using the DCPROMO_OID control,
we also need to set an initial password for this account
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
added --pas, --dest-dsa and --replica-flags options
Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
|
|
This implements partial attribute set checking on getncchanges. If the
client sends a partial_attribute_set then we only return the specified
attributes.
This also implements access checking on the NC root for the access
right GUIDs for requests with and without reveal secrets
Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
|
|
this checks securiity on the NC root of the specified naming context
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
we can't do SPN updates via sam writes and replication, as the sam is
read-only
|
|
this will be used by samba_spnupdate
|
|
Our helper scripts can fail on Fedora with the PDT timezone (Western
USA). This is the same issue we found with Heimdal earlier today, the
24 second difference between GMT and UTC, but this time in MIT
Kerberos as linked into bind9.
By forcing TZ=GMT in these scripts we avoid the problem
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
A RODC cannot assume a role, and unwillingToPerform must be
returned if such request is sent via LDAP
|
|
we don't want to force the KDC to be ourselves, we should
be using DNS to find a live KDC. Also remove some other options and
allow the krb5 lib to use defaults.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This was a wonderful bug!
On some Fedora systems, but not on Ubuntu, there is a difference
between UTC and GMT. Heimdal replaced timegm() with _der_timegm()
which did not account for that difference (which is 24 seconds at the
moment). This led to a mutual authentication failure.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Thanks to Nadya for finding this one!
|
|
the krbtgt role).
Andrew Bartlett
|
|
If we re-use this context, we overwrite the timestamp while talking
to the KDC and fail the mutual authentiation with the target server.
Andrew Bartlett
|
|
this extended getncchanges operation replicates a single object
|
|
this is expected for non-sam LDBs
|
|
this allows for replication by GUID or SID
|
|
this will be used outside of the drs server.
This also fixes the handling of the ndr_size elements of the
drs_ObjectIdentifier
|
|
thanks to ita for this
|
|
|
|
It takes a security token, an ldb_context, and the desired CAR and checks
if the principal has this CAR granted
|
|
|
|
If the host running this code used IPv6 forms for IPv4 addreses
then the check for '.' would not be sufficient to determine that this
isn't a name we should mangle. Instead, check if it can be parsed
as a numeric address first, and only then mangle.
Andrew Bartlett
|
|
This includes rewriting the PAC if the original krbtgt isn't to be
trusted, and reading different entries from the DB for the krbtgt
depending on the krbtgt number.
Andrew Bartlett
|
|
In this case, the whole request packet should be forwarded to
a real KDC, with full secrets, as we don't have the password.
This could also be used to implement 'play dead when the LDAP
server is down'.
Andrew Bartlett
|
|
This should allow master key rollover.
(but the real reason is to allow multiple krbtgt accounts, as used by
Active Directory to implement RODC support)
Andrew Bartlett
|
|
This means we just set up the system_session etc in one place
and don't diverge between the MIT and Heimdal plugins.
We also now determine if we are an RODC and store some details
that we will need later.
Andrew Bartlett
|
|
If we don't we could show an old, incrorrect error
|
|
This simplifies the function. While doing so, also change the error
string setting to set a really clear error string for the failure to find
and failure to parse cases.
Andrew Bartlett
|
|
This is important, as we must ignore the PAC from an RODC.
Andrew Bartlett
|
|
Andrew Bartlett
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
this can be used to force an immediate test failure on the first
failed test case. You can also use:
make test FAIL_IMMEDIATELY=1
|