Age | Commit message (Collapse) | Author | Files | Lines |
|
we mark these as incoming_only
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Guenther
|
|
|
|
Also remove bogus trustCurrentPasswords struct which we just had because our IDL
was incorrect.
Guenther
|
|
this really should be moved to IDL
|
|
this also removes some of the magic constants
|
|
During a RODC join, we need to fetch the secrets for the machine
account and krbtgt account using GetNCChanges
DRSUAPI_EXOP_REPL_SECRET calls
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
These are from libds/common/flags.h
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This can be used to form the partial_attribute_set list for
GetNCChanges
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
a RODC net join can now replicate the schame, config and base
partitions, by calling the net.replicate*() python hooks, and driving
the GetNCChanges calls from python
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
these calls allow python code to pass chunks from DRS replication
calls into the code that applies the chunks to a database
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this is used to setup for later calls to the replicate chunk functions
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
They should be "unsigned" since they count LDB objects. And also the SID array
can be counted as "unsigned".
|
|
this allows for command line access to getncchanges
it also provides a good example of calling DRSUAPI interfaces from
python
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This fixes a crash when using kerberos and the python dcercpc
interface, which requires event nesting
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this is useful when debugging replication
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
we just need to clear this flag
|
|
This does the join using python code
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
libnet_Replicate() will do just the replication portion of
libnet_Vampire(). This will be used by the RODC join, where the join
part of the operation happens in python, and behaves quite differently
to the libnet_Join() code.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
struct dom_sid
This makes the structure much more like NT_USER_TOKEN in the source3/
code. (The remaining changes are that privilages still need to be merged)
Andrew Bartlett
|
|
|
|
|
|
|
|
|
|
Pair-Programmed-With: Jelmer Vernooij <jelmer@samba.org>
|
|
Pair-Programmed-With: Jelmer Vernooij <jelmer@samba.org>
|
|
This makes it much clearer which argument to a function had the wrong
type
|
|
metze
|
|
This patch changes the behavior of LDAPCmp in a single domain
scenario. No place-holders will be applied during comparison
so replication will be fully tested and even the silightest
difference will pop up.
There is a second smaller fix when we compre hosts in different
domains. This fix disables ${SERVERNAME} paace-holder when there
are more then one serevr (domain controller) in the given domain.
|
|
when adding a user with the RODC_JOIN control, the samAccountName is
automatically set to the krbtgt_NNNNN form
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
we need to actually return the SID!
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this allows you to specify the RODC join control in python ldb calls
or on the command line
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
when we deny a EXOP_REPL_SECRET call we should set the exop error code
to NONE, and the main return code to WERR_DS_DRA_ACCESS_DENIED (based
on observing windows server behaviour)
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
The rules for when a RODC can replicate secrets are:
- it can always replicate its own acct
- it can also replicate its krbtgt acct
- it can't replicate other krbtgt accts
- it can't replicate interdomain trust accounts
- it can't replicate users in the denied group list
- it can replicate users in the allowed group list
otherwise it can't replicate
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
it should honor the component_name
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
When a RODC uses extended getncchanges operation
DRSUAPI_EXOP_REPL_SECRET it gets an override on the ability to
replicate the secret attributes.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
The getncchanges call needs to be able to access the sam as the system
user for RODC clients. To do this it needs a sam_ctx connection with
system credentials
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
|
|
|