summaryrefslogtreecommitdiff
path: root/source4
AgeCommit message (Collapse)AuthorFilesLines
2010-10-01delete_object: Remove unnecessary pass calls.Jelmer Vernooij1-7/+0
2010-10-01s4-selftest: Remove unnecessary PYTHONPATH overrides.Jelmer Vernooij1-6/+6
2010-10-01s4-selftest: Normalize paths.Jelmer Vernooij1-5/+5
2010-10-01s4-selftest: Finish conversion of selftest.sh to Python.Jelmer Vernooij2-104/+104
2010-10-01s4-selftest: Convert tests.sh to Python.Jelmer Vernooij2-544/+510
2010-09-30s4-provision: wipe the old keytabs when provisioningAndrew Tridgell2-7/+29
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-30s4-rodc: fixed the keyVersionNumber on the RODC account in secrets.keytabAndrew Tridgell1-2/+5
we need to fetch the msDS-keyVersionNumber from the writeable DC Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-30s4-drs: put the GCSPN flag into the repsTo if requestedAndrew Tridgell2-0/+8
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-30s4-libnet: wipe the old keytab when exportingAndrew Tridgell1-0/+2
this prevents confusion with old keytab entries Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-30s4-dsdb: silence the domainFunctionality not setup warningAndrew Tridgell1-1/+2
2010-09-30s4-drs: added support for level 10 of getncchangesAndrew Tridgell2-73/+112
added a simple mapping from req8
2010-09-30LDAPCmp feature to compare nTSecurityDescriptorsZahari Zahariev1-34/+252
New feature that enables LDAPCmp users to find unmatched or missing ACEs in objects for the three naming contexts between DCs in one domain (default) or different domains. Comparing security descriptors is not the default action but attribute compatison. So to activate the new mode there is --sd switch. However there are two view modes to the new --sd action which are 'section' (default) or 'collision'. In 'section' mode you can only find differences connected to missing or value unmatched ACEs but not disorder unmatch if ACE values and count are the same. All of the mentioned differences plus disorder ACE unmatch you can observe under 'collision' view however it is more verbose. Signed-off-by: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
2010-09-30s4-selftest: Add some more comments to skip file.Jelmer Vernooij1-1/+4
2010-09-30selftest: Eliminate some unnecessary spaces.Jelmer Vernooij1-36/+36
2010-09-29s4-drepl: don't call UpdateRefs on a RODCAndrew Tridgell1-5/+11
we use the ADD_REF bit in getncchanges instead Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
2010-09-29s4-drepl: fixed the checking of replica_flags in the drepl serverAndrew Tridgell1-7/+0
we were incorrectly avoiding a getncchanges when WRIT_REP was not set Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
2010-09-29s4-kcc: fixed the replica_flags in repsFrom in the kccAndrew Tridgell1-31/+72
if our calculated replica_flags doesn't match the ones in our repsFrom then update it Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
2010-09-30s4-dns: send A record updates via TKEYAndrew Tridgell1-1/+6
2010-09-30s4-smbtorture: add new EnumPrinters test to test printername/servernameGünther Deschner1-13/+207
behaviour in EnumPrinter and GetPrinter calls. Guenther
2010-09-29s4-samldb: also set a password on the krbtgt_NNNN accountAndrew Tridgell1-0/+11
when we setup the krbtgt_NNNN account using the DCPROMO_OID control, we also need to set an initial password for this account Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-29s4-devel: added new options to getncchanges scriptAndrew Tridgell1-9/+65
added --pas, --dest-dsa and --replica-flags options Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
2010-09-29s4-drs: implement PAS checks and access checks for getncchangesAndrew Tridgell1-26/+130
This implements partial attribute set checking on getncchanges. If the client sends a partial_attribute_set then we only return the specified attributes. This also implements access checking on the NC root for the access right GUIDs for requests with and without reveal secrets Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
2010-09-29s4-drs: added drs_security_access_check_nc_root()Andrew Tridgell2-12/+63
this checks securiity on the NC root of the specified naming context
2010-09-29s4-sam: added DOMAIN_RID_ENTERPRISE_READONLY_DCS for RODCs in the PACAndrew Tridgell1-0/+16
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-29s4-spnupdate: when we are a RODC we need to use the WriteSPN DRS callAndrew Tridgell1-10/+57
we can't do SPN updates via sam writes and replication, as the sam is read-only
2010-09-29s4-drsutils: expose DsBind() call in drs_utils.pyAndrew Tridgell1-37/+38
this will be used by samba_spnupdate
2010-09-29s4-kerberos: use TZ=GMT when we are invoking krb5 code in helpersAndrew Tridgell2-0/+12
Our helper scripts can fail on Fedora with the PDT timezone (Western USA). This is the same issue we found with Heimdal earlier today, the 24 second difference between GMT and UTC, but this time in MIT Kerberos as linked into bind9. By forcing TZ=GMT in these scripts we avoid the problem Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-29s4-rodc: RODC should not accept requests for role transferNadezhda Ivanova1-0/+12
A RODC cannot assume a role, and unwillingToPerform must be returned if such request is sent via LDAP
2010-09-28s4-provision: simplify our generated krb5.confAndrew Tridgell1-14/+1
we don't want to force the KDC to be ourselves, we should be using DNS to find a live KDC. Also remove some other options and allow the krb5 lib to use defaults. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-28s4-kdc: RODC DCs should be able to produce forwardable ticketsAndrew Tridgell1-1/+1
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-28heimdal: fixed timegm UTC/GMT bugAndrew Tridgell1-15/+6
This was a wonderful bug! On some Fedora systems, but not on Ubuntu, there is a difference between UTC and GMT. Heimdal replaced timegm() with _der_timegm() which did not account for that difference (which is 24 seconds at the moment). This led to a mutual authentication failure. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-28s4-sam: fixed termination of krbtgt_attrs (comma and NULL)Andrew Tridgell1-4/+4
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-28ldb-dn: don't crash on NULL in ldb_binary_encode_string()Andrew Tridgell1-0/+3
Thanks to Nadya for finding this one!
2010-09-28s4-kdc Ensure that an RODC may act as a server (needed to fillAndrew Bartlett1-5/+24
the krbtgt role). Andrew Bartlett
2010-09-28heimdal Use a seperate krb5_auth_context for the delegated credentialsAndrew Bartlett3-1/+35
If we re-use this context, we overwrite the timestamp while talking to the KDC and fail the mutual authentiation with the target server. Andrew Bartlett
2010-09-28s4-drs: added support for DRSUAPI_EXOP_REPL_OBJAndrew Tridgell1-1/+32
this extended getncchanges operation replicates a single object
2010-09-28ldb-tdb: ignore failure to register control on rootdseAndrew Tridgell1-4/+1
this is expected for non-sam LDBs
2010-09-28s4-drs: use drs_ObjectIdentifier_*() calls in getncchangesAndrew Tridgell1-14/+16
this allows for replication by GUID or SID
2010-09-28s4-drs: moved the drs_ObjectIdentifier handling to dsdb_dn.cAndrew Tridgell2-44/+42
this will be used outside of the drs server. This also fixes the handling of the ndr_size elements of the drs_ObjectIdentifier
2010-09-28waf: we don't need the preprocessor recursion limit any moreAndrew Tridgell1-3/+0
thanks to ita for this
2010-09-28s4-drs: Added check for drs-manage-topology to updateRefs.Nadezhda Ivanova1-7/+9
2010-09-28s4-drs: Added drs_security_access_check functionNadezhda Ivanova2-0/+64
It takes a security token, an ldb_context, and the desired CAR and checks if the principal has this CAR granted
2010-09-28s4-dsdb: adapted check_access_on_dn for use in drs.Nadezhda Ivanova1-9/+10
2010-09-29heimdal Fix DNS name qualification to not mangle IP addressesAndrew Bartlett1-5/+23
If the host running this code used IPv6 forms for IPv4 addreses then the check for '.' would not be sufficient to determine that this isn't a name we should mangle. Instead, check if it can be parsed as a numeric address first, and only then mangle. Andrew Bartlett
2010-09-29s4-kdc Handle the case where we may be given a ticket from an RODC in db layerAndrew Bartlett6-37/+83
This includes rewriting the PAC if the original krbtgt isn't to be trusted, and reading different entries from the DB for the krbtgt depending on the krbtgt number. Andrew Bartlett
2010-09-29heimdal Add an error code for use in the RODCAndrew Bartlett1-0/+1
In this case, the whole request packet should be forwarded to a real KDC, with full secrets, as we don't have the password. This could also be used to implement 'play dead when the LDAP server is down'. Andrew Bartlett
2010-09-29heimdal Add support for extracting a particular KVNO from the databaseAndrew Bartlett7-19/+54
This should allow master key rollover. (but the real reason is to allow multiple krbtgt accounts, as used by Active Directory to implement RODC support) Andrew Bartlett
2010-09-29s4-kdc Add common setup, handle RODC setup caseAndrew Bartlett5-73/+156
This means we just set up the system_session etc in one place and don't diverge between the MIT and Heimdal plugins. We also now determine if we are an RODC and store some details that we will need later. Andrew Bartlett
2010-09-29s4-dsdb Add ldb_reset_err_string() when we set error codes.Andrew Bartlett2-0/+4
If we don't we could show an old, incrorrect error
2010-09-29s4-dsdb Make samdb_reference_dn() use dsdb_search() and DSDB_SEARCH_ONE_ONLYAndrew Bartlett1-7/+8
This simplifies the function. While doing so, also change the error string setting to set a really clear error string for the failure to find and failure to parse cases. Andrew Bartlett
generated by cgit (git 2.34.1) at 2024-11-07 21:12:01 +0000