summaryrefslogtreecommitdiffstats
path: root/source4/dsdb/common
Commit message (Collapse)AuthorAgeFilesLines
* s4-dsdb: Refactor user objects defaults setter to use attribute/value mapKamen Mazdrashki2015-02-031-28/+49
| | | | | | | Change-Id: Iaa32af4225219a4c5c42c663022e8be429b8a1d2 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb: common helper to determine "primaryGroupID" attribute valueKamen Mazdrashki2015-02-031-0/+32
| | | | | | | | | | At the moment current implementation does not check if group RID is existing group RID - this responsibility is left to the caller. Change-Id: I8c58dd23a7185d63fa2117be0617884eb78d13c1 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb: Common helper for setting "sAMAccountType" on User objectsKamen Mazdrashki2015-02-031-0/+36
| | | | | | | Change-Id: I4480e7d1ed0c754e960028e0be9a90ee56935e94 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb: Move User object default attribute values in separate helperKamen Mazdrashki2015-02-031-0/+42
| | | | | | | Change-Id: I1e291bcf0a5c9b2fca11323dc7f8be29f5145d42 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb-util: Mark attributes with ADD flag in samdb_find_or_add_attribute()Kamen Mazdrashki2015-02-031-1/+7
| | | | | | | | | | | | At the moment no flags are set and it works fine, since this function is solely used in samldb during ADD requests handling. Pre-setting a flag make it usefull for other modules and request handlers too Change-Id: I7e43dcbe2a8f34e3b0ec16ae2db80ef436df8bfe Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* CVE-2014-8143:dsdb: Allow use of dsdb_autotransaction_request outside util.cAndrew Bartlett2015-01-151-2/+2
| | | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Change-Id: If6bc90305a1e9a5a92562a01ba7e44330de91cc1 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:dsdb: Fix not freed temp memory contextSamuel Cabrero2014-12-221-0/+1
| | | | | | Signed-off-by: Samuel Cabrero <samuelcabrero@kernevil.me> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dsdb: Define syntax access point oid string as a macroSamuel Cabrero2014-12-221-0/+1
| | | | | | Signed-off-by: Samuel Cabrero <samuelcabrero@kernevil.me> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dsdb: Do not attempt to return beyond the end of the password history arrayAndrew Bartlett2014-10-131-2/+2
| | | | | | | | | | | Found by AddressSanitizer Change-Id: I82e35aea60726053c79510ba8ed3eedfaf553eb7 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Matthieu Patou <mat@matws.net> Autobuild-User(master): Matthieu Patou <mat@samba.org> Autobuild-Date(master): Mon Oct 13 08:28:15 CEST 2014 on sn-devel-104
* dsdb: Make log message more clearAndrew Bartlett2014-09-011-2/+6
| | | | | | | Change-Id: Ibf3c55748e755d2f6dae57293bfde11cdf7ba3ae Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
* dsdb: Also redact the clearTextPassword input-only attributeAndrew Bartlett2014-08-161-1/+2
| | | | | | | | | | | | | | | | | We go to a great deal of effort to avoid administrators posting their passwords in Samba logs, and one of the ways we do that is to remove them from internal ldif dumps Samba produces while operating as an AD DC. clearTextPassword is not a real attribute, but it functions as one for an input path. Change-Id: Iaacf3354fc9bfff18d6774f49b17a9ba962347d5 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Aug 16 01:05:07 CEST 2014 on sn-devel-104
* dsdb: Always store and return the userParameters as a array of LE 16-bit valuesAndrew Bartlett2014-07-091-14/+45
| | | | | | | | | | | | | | | This is not allowed to be odd length, as otherwise we can not send it over the SAMR transport correctly. Allocating one byte less memory than required causes malloc() heap corruption and then a crash or lockup of the SAMR server. Andrew Bartlett Bug: https://bugzilla.samba.org/show_bug.cgi?id=10130 Change-Id: I5c0c531c1d660141e07f884a4789ebe11c1716f6 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Allow SAMR server to return the computed, not actual badPwdCountAndrew Bartlett2014-04-021-11/+49
| | | | | | | | | | | | This matters after the lockout observation period has expired. Note: that QueryUserInfo level 3 returns the raw badPwdCount value. Andrew Bartlett Change-Id: I7b304a50984072bc6cb1daf3315b4427443632a9 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: check type with talloc_get_type_abort in samdb_set_passwordAndrew Bartlett2014-04-021-2/+5
| | | | | | Change-Id: Ie5b534c70dd87ecf58d6a830e38750ecf16eb855 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Move dsdb_update_bad_pwd_count to dsdb/common/util.cAndrew Bartlett2014-04-021-0/+113
| | | | | | | | | | This allows the password_hash code to call the same update routine. Andrew Bartlett Change-Id: I3d954469defa3f5d26ffc5ae0583ec7e1957ea11 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Add samdb_result_passwords_from_history helper functionAndrew Bartlett2014-04-021-0/+37
| | | | | | Change-Id: I949c6c64551f68c4381b41b30120874ead82949e Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: give a better error message and return code on failed password changeAndrew Bartlett2014-04-021-0/+5
| | | | | | Change-Id: I064a7e192caccbb5acc17ba385f1625425c176d1 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Put password lockout support in samdb_result_passwords()Andrew Bartlett2014-04-021-2/+27
| | | | | | | | | | | | This seems to be the best choke point to check for locked out accounts, as aside from the KDC, all the password authentication and change callers use it. Andrew Bartlett Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Rework samdb_result_acct_flags to use either userAccountControl or ↵Andrew Bartlett2014-04-021-17/+13
| | | | | | | | | | | | | | | | msDS-User-Account-Control-Computed This allows us to avoid the domain lookup in the constructed attribute when not required. By using msDS-User-Account-Control-Computed the lockout and password expiry checks are now handled in the operational ldb module. Andrew Bartlett Change-Id: I6eb94933e4602e2e50c2126062e9dfa83a46191b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:dsdb/util_samr: simplify dsdb_add_user()Stefan Metzmacher2014-04-021-42/+8
| | | | | | | | We can specify userAccountControl on the ldb_add() call. Change-Id: Ic990a74eaf9b38ddc1db3183a964972c786dbfdf Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Remove a number of NT_STATUS_HAVE_NO_MEMORY_AND_FREE macros from the codebase.Garming Sam2014-03-051-1/+4
| | | | | | | | | | | Following the current coding guidelines, it is considered bad practice to return from within a macro and change control flow as they look like normal function calls. Change-Id: I133eb5a699757ae57b87d3bd3ebbcf5b556b0268 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* dsdb: Add more tests for DN+String and DN+Binary comparisonsAndrew Bartlett2014-02-051-0/+14
| | | | | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Feb 5 10:41:37 CET 2014 on sn-devel-104
* dsdb: Refuse to return an all-zero invocationIDAndrew Bartlett2013-09-191-0/+8
| | | | | | | | | This could cause an all-zero GUID to be entered into the replPropertyMetaData, which will then fail to be replicated to other DCs. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* python/drs: Ensure to pass in the local invocationID during the domain joinAndrew Bartlett2013-09-191-0/+2
| | | | | | | | | | This ensures (and asserts) that we never write an all-zero GUID as an invocationID to the database in replPropertyMetaData. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: remove a wrong comment in dsdb_check_access_on_dn_internal()Stefan Metzmacher2013-06-131-4/+1
| | | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Jun 13 18:19:24 CEST 2013 on sn-devel-104
* dsdb: don't allow a missing nTSecurityDescriptor in ↵Stefan Metzmacher2013-06-131-3/+3
| | | | | | | | | | dsdb_get_sd_from_ldb_message() Every object has a nTSecurityDescriptor attribute. This also avoids potential segfaults in the callers. Signed-off-by: Stefan Metzmacher <metze@samba.org>
* dsdb: use AS_SYSTEM | SHOW_RECYCLED for access check searchesStefan Metzmacher2013-06-131-1/+7
| | | | | | | | | We need AS_SYSTEM in order to get the nTSecurityDescriptor attribute. Also the result of this search not controlled by the client nor is the result exposed to the client. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dsdb: Allow dsdb_find_dn_by_guid to show deleted DNsAndrew Bartlett2013-06-121-2/+4
| | | | | | | | | This helps us in the KCC as we need to return the deleted DN for the GUID in DsReplicaGetInfo calls (tested for deleted servers against Windows 2008R2). Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:dsdb: Fix warnings about not set / set but unused / shadowed variablesMatthieu Patou2013-04-191-3/+0
| | | | | | | Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Apr 19 13:15:40 CEST 2013 on sn-devel-104
* dsdb: Check for pointers before we deference them.Andreas Schneider2013-03-051-7/+7
| | | | Reviewed-by: David Disseldorp <ddiss@samba.org>
* dsdb/util: rework samdb_check_password() to support utf8Stefan Metzmacher2013-02-041-5/+16
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* dsdb: Ensure "authenticated users" is processed for group membershipsAndrew Bartlett2013-01-211-0/+25
| | | | | | | | | | | | | | | | | | This change moves the addition of "Authenticated Users" from the very end of the token processing to the start. The reason is that we need to see if "Authenticated Users" is a member of other builtin groups, just as we would for any other SID. This picks up the "Pre-Windows 2000 Compatible Access" group, which is in turn often used in ACLs on LDAP objects. Without this change, the eventual token does not contain S-1-5-32-554 and users other than "Administrator" are unable to read uidNumber (in particular). Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security: handle node initialisation in one spot in ↵Andrew Bartlett2013-01-211-3/+2
| | | | | | | | | | | | | | | | | | | | | | | insert_in_object_tree() This removes special-case for initalising the children array in insert_in_object_tree(). talloc_realloc() handles the intial allocate case perfectly well, so there is no need to have this duplicated. This also restores having just one place were the rest of the elements are intialised, to ensure uniform behaviour. To do this, we have to rework insert_in_object_tree to have only one output variable, both because having both root and new_node as output variables was too confusing, and because otherwise the two pointers were being allowed to point at the same memory. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/common: use 01.01.1970 as last_sync_success for our entry in the ↵Stefan Metzmacher2013-01-011-3/+4
| | | | | | | | | uptodatevector This matches a Windows 2008R2 and 2012 server. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/common: use LDB_SEQ_HIGHEST_SEQ for our entry in the uptodatevectorStefan Metzmacher2013-01-011-2/+2
| | | | | | | | | We should use the global highestCommittedUSN, not the per partition value. This matches a Windows 2008R2 and 2012 server. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/common: only pass the DSDB_CONTROL_PASSWORD_HASH_VALUES_OID if requiredStefan Metzmacher2012-12-111-7/+11
| | | | | | | | This should give the password_hash module a chance to detect if the called was the cleartext password or not. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/common: add pekList and msDS-ExecuteScriptPassword to ↵Stefan Metzmacher2012-11-301-0/+2
| | | | | | | | | DSDB_SECRET_ATTRIBUTES_EX See [MS-ADTS] 3.1.1.4.4 Extended Access Checks. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* dsdb: Rename _res argument to _result.Jelmer Vernooij2012-11-061-6/+6
| | | | | | | | Newer versions of heimdal include a macro that is unfortunately named '_res'. This change prevents the clash. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4-dsdb: Remove unused variablesAndrew Bartlett2012-09-011-3/+0
| | | | | Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Sep 1 05:10:47 CEST 2012 on sn-devel-104
* s4-dsdb: Remove unused tmp_ctx leaked onto long-term ldb_contextAndrew Bartlett2012-09-011-2/+0
| | | | | | | This was found based on a log provided by Ricky Nance <ricky.nance@weaubleau.k12.mo.us>. Thanks Ricky! Andrew Bartlett
* s4-dsdb: Use samdb_dn_is_our_ntdsa()Andrew Bartlett2012-08-141-14/+3
| | | | | | | This uses a GUID based comparison, and avoids re-fetching the samdb_ntds_settings_dn each time. Andrew Bartlett
* s4-dsdb: Add samdb_dn_is_our_ntdsa()Andrew Bartlett2012-08-141-0/+25
| | | | | | This is like samdb_reference_dn_is_our_ntdsa but without the attribute de-reference. Andrew Bartlett
* s4-dsdb: Use samdb_reference_dn_is_our_ntdsa()Andrew Bartlett2012-08-141-35/+4
|
* s4-dsdb: Add helper function samdb_reference_dn_is_our_ntdsa()Andrew Bartlett2012-08-141-1/+39
| | | | | | | | We often want to know if we own an FSMO role (for example). This tries to be more efficient by comparing the GUID, rather than the string DN, as this does not need to be re-fetched each time. Andrew Bartlett
* s4-dsdb: Use ldb_dn_copy() rather than talloc_reference()Andrew Bartlett2012-08-141-1/+1
| | | | | | | | | As the normal case (outside provision) uses a copy, this avoids a case where a caller might modify a global variable accidentily. As suggested by metze. Andrew Bartlett
* s4-libnet: Improve debugging of libnet_BecomeDC LDAP errorsAndrew Bartlett2012-08-141-0/+2
|
* s4-dsdb: Add mem_ctx argument to samdb_ntds_settings_dnAndrew Bartlett2012-08-141-10/+18
| | | | | | | | | | | | | | As this value is calculated new each time, we need to give it a context to live on. If the value is the forced value during provision, a reference is taken. This was responsible for the memory leak in the replication process. In the example I was given, this DN appeared in memory 13596 times! Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Aug 14 10:05:14 CEST 2012 on sn-devel-104
* s4-dsdb: Add constAndrew Bartlett2012-08-141-4/+4
|
* s4-dsdb when setting DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID make it ↵Andrew Bartlett2012-06-271-1/+7
| | | | non-critical
* s4:dsdb/common/util.c - samdb_is_pdc() - fail if the "fSMORoleOwner" ↵Matthias Dieter Wallnöfer2012-04-291-1/+5
| | | | attribute has not been set
generated by cgit (git 2.34.1) at 2024-10-11 23:18:29 +0000