summaryrefslogtreecommitdiffstats
path: root/source4/dsdb
Commit message (Collapse)AuthorAgeFilesLines
...
* acl: Fix typo: structrual -> structuralJelmer Vernooij2014-09-271-1/+1
| | | | | | Change-Id: I859f62042e16d146ab4cb1490ab725d2bfa06db1 Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dsdb: Be less verbose when announcing kcc is being invoked.Jelmer Vernooij2014-09-271-1/+1
| | | | | | Change-Id: I94ab7d92e7e4f4311f0b20b1072c3ad05155d068 Signed-Off-By: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dsdb: improve debugging in DsCrackNameOneFilterAndrew Bartlett2014-09-011-1/+3
| | | | | | | | Change-Id: I64d8e1eb94d833dc8ebf18fecdf32a83470a087e Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-By: Jelmer Vernooij <jelmer@samba.org> 1
* dsdb: Make log message more clearAndrew Bartlett2014-09-011-2/+6
| | | | | | | Change-Id: Ibf3c55748e755d2f6dae57293bfde11cdf7ba3ae Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
* dsdb: Permit creation of partitions of type INSTANCE_TYPE_UNINSTANTAndrew Bartlett2014-09-011-4/+15
| | | | | | | | | | | This is only allowed when we are creating the objects from a DsAddEntry call, not over LDAP. Change-Id: Ieec6b07556d58741ec04fede8bf9940811f12a62 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
* join.py: Reinstate full_nc_list and make creation of NTDS-DSA object commonAndrew Bartlett2014-09-011-0/+2
| | | | | | | | | | | | The new function join_ntdsdsa_obj() returns the object, to be added over LDAP or DsAddEntry(). Andrew Bartlett Change-Id: I41ac256fb3d4edffc617af4ae580acd941b4de83 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
* dsdb: Change acl module to look for instanceType flag rather than list of NCsAndrew Bartlett2014-09-012-15/+87
| | | | | | | | | | This avoids any DNs being a free pass beyond the ACL code, instead it is based on the CN=Partitions ACL. Andrew Bartlett Change-Id: Ib2f4abe0165e47fa4a71925d126c2eeec68df119 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:samba_dnsupdate: cache the already registered recordsStefan Metzmacher2014-08-261-0/+13
| | | | | | | | | | | This way we can delete records which are not used anymore. E.g. if the ip address changed. Bug: https://bugzilla.samba.org/show_bug.cgi?id=9831 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dsdb: Also redact the clearTextPassword input-only attributeAndrew Bartlett2014-08-161-1/+2
| | | | | | | | | | | | | | | | | We go to a great deal of effort to avoid administrators posting their passwords in Samba logs, and one of the ways we do that is to remove them from internal ldif dumps Samba produces while operating as an AD DC. clearTextPassword is not a real attribute, but it functions as one for an input path. Change-Id: Iaacf3354fc9bfff18d6774f49b17a9ba962347d5 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Aug 16 01:05:07 CEST 2014 on sn-devel-104
* s4-dsdb/cracknames: free realm from smb_krb5_principal_get_realm().Günther Deschner2014-08-081-3/+4
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4-dsdb/samdb: use smb_krb5_principal_get_comp_string in ldb ACL module.Günther Deschner2014-08-082-6/+9
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4-dsdb/samdb: use smb_krb5_make_principal for compatibility reasons with MIT.Günther Deschner2014-08-081-4/+5
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* messaging4: Change irpc_servers_by_name to NTSTATUSVolker Lendecke2014-07-211-5/+7
| | | | | | | | | | | | For me, counted arrays are easier to deal with than NULL-terminated ones. Here we also had a "server_id_is_disconnection" convention, which was not really obvious. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Mon Jul 21 20:28:53 CEST 2014 on sn-devel-104
* s4:dsdb/samldb: don't allow 'userParameters' to be modified over LDAP for nowStefan Metzmacher2014-07-091-0/+18
| | | | | | | | | | | | | | | | | For now it's safer to reject setting 'userParameters' via LDAP, as we'll not provide the same behavior as a Windows Server. If someone requires that feature please report this in the following bug reports! Bug: https://bugzilla.samba.org/show_bug.cgi?id=8077 Bug: https://bugzilla.samba.org/show_bug.cgi?id=10130 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Jul 9 11:07:51 CEST 2014 on sn-devel-104
* dsdb: Always store and return the userParameters as a array of LE 16-bit valuesAndrew Bartlett2014-07-091-14/+45
| | | | | | | | | | | | | | | This is not allowed to be odd length, as otherwise we can not send it over the SAMR transport correctly. Allocating one byte less memory than required causes malloc() heap corruption and then a crash or lockup of the SAMR server. Andrew Bartlett Bug: https://bugzilla.samba.org/show_bug.cgi?id=10130 Change-Id: I5c0c531c1d660141e07f884a4789ebe11c1716f6 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Set syntax of userParameters to binary string, not unicode stringAndrew Bartlett2014-07-092-0/+12
| | | | | | | | | | | | | | | | | | This means we continue to store the values as given on SAMR, assuming that the SAMR buffer is little endian. The syntax for this specific object is forced to be a binary blob, so that it is not converted on DRSUAPI. This commit does not fix existing databases, nor pdb_samba_dsdb (used by classicupgrade). Andrew Bartlett Bug: https://bugzilla.samba.org/show_bug.cgi?id=8077 Change-Id: I10bb6aaecc381194e3c0ce6b9163f961acbdcee1 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s4:dsdb/repl_meta_data: make sure objectGUID can't be deletedStefan Metzmacher2014-07-091-3/+3
| | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=9763 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/extended_dn_in: don't force DSDB_SEARCH_SHOW_RECYCLEDStefan Metzmacher2014-07-091-17/+20
| | | | | | | | | | | | | We should take the controls the caller provided when we search for existing objects. A search with a basedn of '<GUID=....>' should result in LDB_ERR_NO_SUCH_OBJECT is the object has isDeleted=TRUE. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10694 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/kcc: use SHOW_RECYCLED instead of SHOW_DELETED in when deleting ↵Stefan Metzmacher2014-07-091-1/+1
| | | | | | | | | | | tombstone/deleted objects SHOW_RECYCLED implies SHOW_DELETED. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10694 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/schema_load: make error message more verboseStefan Metzmacher2014-07-091-1/+2
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Order switch statementsSamuel Cabrero2014-07-071-10/+10
| | | | | | | | | Signed-off-by: Samuel Cabrero <scabrero@zentyal.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Kamen Mazdrashki <kamenim@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Jul 7 07:47:44 CEST 2014 on sn-devel-104
* idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfoSamuel Cabrero2014-07-071-1/+26
| | | | | | | Signed-off-by: Samuel Cabrero <scabrero@zentyal.com> Reviewed-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>
* secrets: Ensure we store the secureChannelType when written to secrets.ldbAndrew Bartlett2014-07-041-0/+1
| | | | | | | | | This will allow winbindd to know when we are an RODC without needing to dig into sam.ldb. Change-Id: Ibdfa37fe6269305ccc5db42479f4a8db5eea53f3 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
* dsdb: Do not refresh the schema using the wrong event contextAndrew Bartlett2014-06-115-112/+191
| | | | | | | | | | | | | | | | What we now do is have the refresh function and module be on a seperate object to the schema, only referring to the data and not excuting on the original ldb and event loop. That is, we never use another ldb context when calling the refresh function, by binding the refresh handler to the ldb and not the schema. Andrew Bartlett Change-Id: I5c323dda743cf5858badd01147fda6227599bc16 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* dsdb: Do not store a struct ldb_dn in struct schema_dataAndrew Bartlett2014-06-118-43/+41
| | | | | | | | | | | | The issue is that the DN contains a pointer to the ldb it belongs to, and if this is not kept around long enough, we might reference memory after it is de-allocated. Andrew Bartlett Change-Id: I040a6c37a3164b3309f370e32e598dd56b1a1bbb Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Use GUID_equal in a few placesVolker Lendecke2014-06-106-13/+13
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* dsdb: Do not give an error is metadata.tdb does not yet existAndrew Bartlett2014-06-041-2/+2
| | | | | | Change-Id: I88ee188c776364fd66da388ce01fc9288aa2ded0 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* dsdb: Do not permit nested event loops when in a transaction, use a nested ↵Andrew Bartlett2014-05-061-13/+80
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | event context It is never safe to execute arbitary code inside a transaction - we need to get in and get out, not run other events for the rest of the server. This patch avoids that by creating a private event loop during transactions, so no unexpected operations fire, and returning the original one when we finish it. If an event fires during an LDB transaction, an unrelated operation can occur during the transaction, and if the transaction were to be cancelled, there would be a silent rollback (despite the client having been indicated success). Additionally, other processes could be called via IRPC that need to operate on the database but are locked out due to the ongoing transaction. Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=10582 Change-Id: I22322fc006e61d7291da17cdf6431416ebb7b30f Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue May 6 13:36:20 CEST 2014 on sn-devel-104
* dsdb: Rename private_data to rootdse_private_data in rootdseAndrew Bartlett2014-05-061-8/+8
| | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10582 Change-Id: I349a2be67333ada86c19cd6d2ed283cd5bbeb2aa Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Make it harder to corrupt the database by requiring DBCHECK or RELAX ↵Andrew Bartlett2014-05-032-10/+32
| | | | | | | | | | | | | | | for final object deletion This kind of deletion can cause us to then replicate back a partial object. We allow dbcheck to directly remove totally corrupt objects (missing an objectclass) by specifying both DBCHECK and RELAX, and the tombstone sweep after 180 days is done with the RELAX control. Andrew Bartlett Change-Id: Ic21f68e507ba9b65e035ca568430e35e2d001c7d Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:repl_meta_data: fix array assignment in replmd_process_linked_attribute()Stefan Metzmacher2014-05-021-2/+2
| | | | | | Change-Id: I10357236108f68ab749ba0e1f07558302c573887 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kerberos: Remove un-used event context argument from smb_krb5_init_context()Andrew Bartlett2014-04-283-4/+0
| | | | | | | | | | | | | | | | | The event context here was only specified in the server or admin-tool context, which does not do network communication, so this only caused a talloc_reference() and never any useful result. The actual network communication code sets an event context directly before making the network call. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Apr 28 02:24:57 CEST 2014 on sn-devel-104
* dsdb: Specify no event context to smb_krb5_init_context() in dsdbAndrew Bartlett2014-04-283-4/+6
| | | | | | | | | | These routines parse principals and generate keys only, no network communication is done. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* selftest: Add test for password lockoutAndrew Bartlett2014-04-021-0/+1484
| | | | | | Change-Id: Ia690b83f82b5ad7b02b203ffdecd2e05066b6711 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Allow SAMR server to return the computed, not actual badPwdCountAndrew Bartlett2014-04-021-11/+49
| | | | | | | | | | | | This matters after the lockout observation period has expired. Note: that QueryUserInfo level 3 returns the raw badPwdCount value. Andrew Bartlett Change-Id: I7b304a50984072bc6cb1daf3315b4427443632a9 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:dsdb/samldb: rework samldb_user_account_control_change()Stefan Metzmacher2014-04-021-99/+134
| | | | | | | | | | | | - Removing ACB_AUTOLOCK/UF_LOCKOUT from the effective userAccountControl flags (combined with msDS-User-Account-Control-Computed) results in lockoutTime=0 (implying badPadCount=0). - We also do more validation of the account type flags now. Change-Id: If7f224cf60920037a0ae19a10d116ac265771a4c Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/samldb: remove fantasy code from samldb_user_account_control_change()Stefan Metzmacher2014-04-021-10/+0
| | | | | | | | Setting UF_PASSWORD_EXPIRED doesn't reset "pwdLastSet" to "0"! Change-Id: I9e004195ad864b8b3fe036986b1087398d1f6fc5 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dsdb: check type with talloc_get_type_abort in samdb_set_passwordAndrew Bartlett2014-04-021-2/+5
| | | | | | Change-Id: Ie5b534c70dd87ecf58d6a830e38750ecf16eb855 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Implement password lockout on LDAP password changesAndrew Bartlett2014-04-021-16/+134
| | | | | | | | | | | | | | | To do this, and have the badPwdCount update stick, we must abort, open, close and reopen transactions such that the badPwdCount update is in it's own transaction. To ensure the tests can confirm the correct behaviour here, we must output the Windows error code in the error message. Andrew Bartlett Change-Id: I5b1515b26b308301cf90ce8a3c848a3cedee85a2 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Move dsdb_update_bad_pwd_count to dsdb/common/util.cAndrew Bartlett2014-04-021-0/+113
| | | | | | | | | | This allows the password_hash code to call the same update routine. Andrew Bartlett Change-Id: I3d954469defa3f5d26ffc5ae0583ec7e1957ea11 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:dsdb/samldb: add let lockoutTime=0 reset badPwdCount=0Stefan Metzmacher2014-04-021-0/+57
| | | | | | | | See [MS-SAMR] 3.1.1.8.3 lockoutTime. Change-Id: Ic384a8e2b88c8e9eb1859df99ee09451ebd49fec Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dsdb: collapse wrong password and no-password-hash errors into one handlerAndrew Bartlett2014-04-021-25/+3
| | | | | | | | | | This avoids giving away too much information to an attacker. Andrew Bartlett Change-Id: Id0c0ec508304990e64e5d728396d0d0c1cd7f966 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Add samdb_result_passwords_from_history helper functionAndrew Bartlett2014-04-021-0/+37
| | | | | | Change-Id: I949c6c64551f68c4381b41b30120874ead82949e Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: give a better error message and return code on failed password changeAndrew Bartlett2014-04-021-0/+5
| | | | | | Change-Id: I064a7e192caccbb5acc17ba385f1625425c176d1 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Put password lockout support in samdb_result_passwords()Andrew Bartlett2014-04-022-7/+43
| | | | | | | | | | | | This seems to be the best choke point to check for locked out accounts, as aside from the KDC, all the password authentication and change callers use it. Andrew Bartlett Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Rework samdb_result_acct_flags to use either userAccountControl or ↵Andrew Bartlett2014-04-021-17/+13
| | | | | | | | | | | | | | | | msDS-User-Account-Control-Computed This allows us to avoid the domain lookup in the constructed attribute when not required. By using msDS-User-Account-Control-Computed the lockout and password expiry checks are now handled in the operational ldb module. Andrew Bartlett Change-Id: I6eb94933e4602e2e50c2126062e9dfa83a46191b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-operational: Implement msDS-UserPasswordExpiryTimeComputedAndrew Bartlett2014-04-021-1/+47
| | | | | | | | | | | | This assists in testing this aspect of msDS-User-Account-Control-Computed, and is exposed in AD for clients to query. Andrew Bartlett Change-Id: I10fd214b0585a16f8addb00c252f656419a03f4a Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-operational: Implement msDS-User-Account-Control-ComputedAndrew Bartlett2014-04-021-1/+165
| | | | | | | | | | | This is needed to get consistent account lockout support across the whole server. Andrew Bartlett Change-Id: I2fa1e707d33f5567b6cb4e2b27e340fa9f40cee9 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* dsdb-operational: Use a list for the extra attributes that may be requiredAndrew Bartlett2014-04-021-28/+52
| | | | | | Change-Id: Ifa2e006c9401e92e71d6588d6ea879c6f437cdd5 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:dsdb/util_samr: simplify dsdb_add_user()Stefan Metzmacher2014-04-021-42/+8
| | | | | | | | We can specify userAccountControl on the ldb_add() call. Change-Id: Ic990a74eaf9b38ddc1db3183a964972c786dbfdf Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
generated by cgit (git 2.34.1) at 2025-08-30 06:35:20 +0000