| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
It is a problem if a samba header is called ldap.h if we also want
to use OpenLDAP's ldap.h
Andrew Bartlett
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows us to control what groups should be added in what use
cases, and in particular to more carefully control the introduction of
the 'authenticated' group.
In particular, in the 'service_named_pipe' protocol, we do not have
control over the addition of the authenticated users group, so we key
of 'is this user the anonymous SID'.
This also takes more care to allocate the right length ptoken->sids
Andrew Bartlett
|
| |
|
|
|
|
|
| |
We had to split up the auth module into a module loaded by main deamon
and a subsystem we manually init in the operational module.
Andrew Bartlett
|
| |
|
|
|
|
|
|
| |
This creates a new interface to the auth subsystem, to allow an
auth_context to be created from the ldb, and then tokenGroups to be
calculated in the same way that the auth subsystem would.
Andrew Bartlett
|
| |
|
|
|
|
|
|
| |
The group list in the PAC does not include 'enterprise DCs' and
BUILTIN groups, so we should generate it on each server, not in the
list we pass around in the PAC or SamLogon reply.
Andrew Bartlett
|
| |
|
|
|
|
| |
I need to change the functions this calls
Andrew Bartlett
|
| | |
|
| | |
|
| |
|
|
| |
recompiled by waf.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
This reverts commit 6276343ce1b7dd7d217e5a419c09f209f5f87379.
This is not needed anymore.
metze
|
| |
|
|
|
|
|
|
|
|
| |
before copying them"
This reverts commit fa87027592f71179c22f132e375038217bc9d36a.
This check is done one level above now.
metze
|
| |
|
|
|
|
|
|
| |
it's given
Sorry, I removed this logic while cleaning up indentation levels...
metze
|
| |
|
|
|
| |
When we don't have the cleartext of the new password then don't check it
using "samdb_check_password".
|
| | |
|
| |
|
|
| |
copying them
|
| |
|
|
|
| |
This is to don't break the provision process at the moment. We need to find
a better solution.
|
| |
|
|
|
|
| |
Based on the Patch from Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>.
metze
|
| |
|
|
|
|
|
|
| |
- Implement the password restrictions as specified in "samdb_set_password"
(complexity, minimum password length, minimum password age...).
- We support only (administrative) password reset operations at the moment
- Support password (administrative) reset and change operations (consider
MS-ADTS 3.1.1.3.1.5)
|
| |
|
|
|
| |
Windows Server performs the constraint checks in a different way than we do.
All testing has been done using "passwords.py".
|
| |
|
|
|
|
|
|
| |
- Enhance comments
- Get some more attributes from the domain and user object (needed later)
- Check for right objectclass on change/set operations (instances of
"user" and/or "inetOrgPerson") - otherwise forward the request
- (Cosmetic) cleanup in asynchronous results regarding return values
|
| |
|
|
|
|
|
| |
- Add a new control for getting status informations (domain informations,
password change status) directly from the module
- Add a new control for allowing direct hash changes
- Introduce an addtional control "change_old password checked" for the password
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
metze
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This means that the existing kvno will no longer be valid, all
unix-based domain members may need to be rejoined, and
upgradeprovision run to update the local kvno in
secrets.ldb/secrets.keytab.
This is required to match the algorithm used by Windows DCs, which we
may be replicating with. We also need to find a way to generate a
reasonable kvno with the OpenLDAP backend.
Andrew Bartlett
|
| |
|
|
|
|
| |
Check on modify if we are RODC and return referral.
On the ldap backend side now we pass context and ldb_modify_default_callback
to propagate the referral error to the client.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The upgraded link values are were allocated on tmp_ctx, and need to be
kept until they are written to the DB. If we don't give the correct
context, they will be gone after the talloc_free(tmp_ctx).
Found by Matthieu Patou <mat+Informatique.Samba@matws.net>
Andrew Bartlett
|
| | |
|
| |
|
|
| |
getting older attributes is quite common
|
| |
|
|
|
|
|
| |
these partitions and not on the server we are replicating from. Also
check for deleted partitions.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
|
|
| |
DN links outside the set of partitions we are replication should be
allowed.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This is used for allowing operations by RODCs, and denying them
operations that should only be allowed for a full DC
This required a new domain_sid argument to
security_session_user_level()
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Rusty Russell <rusty@samba.org>
|
| | |
|
| |
|
|
|
|
| |
This means we are only doing the checks for schema changes
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
| |
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
| |
|
|
|
|
|
|
| |
The SIDs in some queries were not being passed as binary, but as
strings in comparison with the securityIdentifer object. We need to
recognise that these are SIDs in the simple_ldap_map.
Andrew Bartlett
|
| |
|
|
|
|
|
|
| |
This is rather than rdn_name, which tries to do the job on the client
side. We need to leave this module in the stack for Fedora DS (and of
course the LDB backend).
Andrew Bartlett
|
| |
|
|
|
|
|
| |
In the future, LDAP backends will be resposible for maintaining the
'name' attributes.
Andrew Bartlett
|
| |
|
|
|
|
|
| |
By putting these values into the cache on the LDB, this reduces some
of the noise in provision, particularly with the LDAP backend.
Andrew Bartlett
|
| | |
|
| |
|
|
| |
metze
|
