summaryrefslogtreecommitdiffstats
path: root/source4/dsdb
Commit message (Collapse)AuthorAgeFilesLines
...
* s4:dsdb/tests: add test_timevalues1() to verify timestamp valuesStefan Metzmacher2015-01-241-0/+40
| | | | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=9810 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Sat Jan 24 20:17:20 CET 2015 on sn-devel-104
* dsdb-tests: Clarify that accounts really do fall back to UF_NORMAL_ACCOUNT ↵Andrew Bartlett2015-01-221-3/+63
| | | | | | | | | | | | | | | if no account set Also confirm what bits have to be ignored, or otherwise processed Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Jan 22 10:16:42 CET 2015 on sn-devel-104
* dsdb-samldb: Clarify userAccountControl manipulation code by always using ↵Andrew Bartlett2015-01-221-8/+6
| | | | | | | | | | | | UF_ flags The use of ACB_ flags was required before msDS-User-Account-Control-Computed was implemented Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-samldb: Clarify that accounts really do fall back to UF_NORMAL_ACCOUNT ↵Andrew Bartlett2015-01-221-3/+8
| | | | | | | | | | if no account set Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-samldb: Only allow known and settable userAccountControl bits to be setAndrew Bartlett2015-01-221-4/+9
| | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-tests: Show that we can not change the primaryGroupID of a DCAndrew Bartlett2015-01-221-0/+110
| | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:dsdb/samldb: let samldb_prim_group_change() protect ↵Stefan Metzmacher2015-01-221-2/+26
| | | | | | | | | | | | DOMAIN_RID_{READONLY_,}DCS Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Improve userAccountControl handlingAndrew Bartlett2015-01-222-32/+158
| | | | | | | | | | | | | | | | We now always check the ACL and invarient rules using the same function The change to libds is because UF_PARTIAL_SECRETS_ACCOUNT is a flag, not an account type This list should only be of the account exclusive account type bits. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-tests: Add new test samba4.user_account_control.pythonAndrew Bartlett2015-01-221-0/+521
| | | | | | | | | | | | | | This confirms security behaviour of the userAccountControl attribute as well as the behaviour on ADD as well as MODIFY, for every userAccountControl bit. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Change-Id: I8cd0e0b3c8d40e8b8aea844189703c756cc372f0 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Default to UF_NORMAL_ACCOUNT when no account type is specifiedAndrew Bartlett2015-01-221-3/+3
| | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libds: UF_PARTIAL_SECRETS_ACCOUNT is a flag, not an account typeAndrew Bartlett2015-01-221-10/+9
| | | | | | | | | | | | | | | | This list should only be of the account exclusive account type bits. Note, this corrects the behaviour in samldb modifies of userAccountControl. This reverts 6cb91a8f33516a33210a25e4019f3f3fbbfe61f2 Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-tests: Align sam.py with Windows 2012R2 and uncomment ↵Andrew Bartlett2015-01-221-82/+68
| | | | | | | | | | | | | | userAccountControl tests These tests now pass against Samba and Windows 2012R2. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Change-Id: I1d7ba5e6a720b8da88c667bbbf3a4302c54642f4 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2014-8143:dsdb-samldb: Check for extended access rights before we allow ↵Andrew Bartlett2015-01-152-1/+195
| | | | | | | | | | | | | | | | changes to userAccountControl This requires an additional control to be used in the LSA server to add domain trust account objects. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Karolin Seeger <kseeger@samba.org> Autobuild-Date(master): Thu Jan 15 14:54:47 CET 2015 on sn-devel-104
* CVE-2014-8143:dsdb: Allow use of dsdb_autotransaction_request outside util.cAndrew Bartlett2015-01-151-2/+2
| | | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Change-Id: If6bc90305a1e9a5a92562a01ba7e44330de91cc1 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2014-8143:pydsdb: Pull in UF_USE_AES_KEYS flagAndrew Bartlett2015-01-151-0/+1
| | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Change-Id: I36ad5ebc5d8a4811c41b59af90a3add4ae5fd857 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Add tokenGroupsGlobalAndUniversal, tokenGroups, tokenGroupsNoGCAcceptableGarming Sam2014-12-222-15/+399
| | | | | | | | | | | | | | | | This includes additional tests based directly on the docs, rather than simply testing our internal implementation in client and server contexts, that create a user and groups. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11022 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming-Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Mon Dec 22 17:17:02 CET 2014 on sn-devel-104
* dsdb: Ignore errors from search in dns_notify moduleAndrew Bartlett2014-12-221-14/+12
| | | | | | | | This ensures the error messages are unchanged Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* dsdb: Use a fixed set of attributes in search in dns_notify moduleAndrew Bartlett2014-12-221-2/+4
| | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* dsdb: Use ldb_attr_cmp() for comparing objectclass namesAndrew Bartlett2014-12-221-3/+3
| | | | | | | | This is the same as strcasecmp, but it is best to remain consistent. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4-dns: Reload DNS zones from dsdb when zones are modified through RPC or DRSSamuel Cabrero2014-12-223-1/+459
| | | | | | | | | | | | | Setup a RPC management call on the internal DNS server triggered a new LDB module which sniffs dnsZone object add, delete and modify operations. This way the notification is triggered when zones are modified either from RPC or replicated by inbound DRS. Signed-off-by: Samuel Cabrero <samuelcabrero@kernevil.me> (shadowed variable error corrected by abartlet) Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* dsdb: Only parse SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL as a DNAndrew Bartlett2014-12-221-1/+3
| | | | | | | | This avoids trying to parse some other rule, like bitwise and, that may be applied to this attribute Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb: Fix not freed temp memory contextSamuel Cabrero2014-12-221-0/+1
| | | | | | Signed-off-by: Samuel Cabrero <samuelcabrero@kernevil.me> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dsdb: Define syntax access point oid string as a macroSamuel Cabrero2014-12-222-1/+2
| | | | | | Signed-off-by: Samuel Cabrero <samuelcabrero@kernevil.me> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dsdb: Improve code clarity for ldb_extended_dn_in_openldap modeAndrew Bartlett2014-12-221-3/+7
| | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/extended_dn_in: Fix DNs and filter expressions in extended match opsSamuel Cabrero2014-12-221-13/+35
| | | | | | Signed-off-by: Samuel Cabrero <samuelcabrero@kernevil.me> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/rootdse: expand extended dn values with the AS_SYSTEM controlStefan Metzmacher2014-12-121-4/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | Otherwise we can't find the GUID of the 'serverName' attribute as ANONYMOUS. This results in root@ub1204-161:~# ldbsearch -U% -H ldap://172.31.9.161 -b '' -s base --extended-dn serverName search error - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: operations error at ../source4/dsdb/samdb/ldb_modules/rootdse.c:567> <> While it works as system: root@ub1204-161:~# ldbsearch -U% -H /var/lib/samba/private/sam.ldb -b '' -s base --extended-dn serverName # record 1 dn: serverName: <GUID=348c35e1-04e3-4988-a32c-32478d584551>;CN=UB1204-161,CN=Serve rs,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=s4xdom,DC=base # returned 1 records # 1 entries # 0 referrals Bug: https://bugzilla.samba.org/show_bug.cgi?id=10949 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* Reduce number of places where sys.path is (possibly) updated for external ↵Jelmer Vernooij2014-11-301-2/+1
| | | | | | | | | | | | module paths. Change-Id: I69d060f27ea090d14405e884d1ce271975358c56 Signed-Off-By: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org> Autobuild-Date(master): Sun Nov 30 20:54:04 CET 2014 on sn-devel-104
* dsdb: Remove a self-assignmentVolker Lendecke2014-11-241-1/+0
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* sam: Use samba.tests.subunitrun.Jelmer Vernooij2014-11-241-8/+4
| | | | | | Change-Id: Ic2ac4b335cf805ddbd442a065c4eaf6ef2b210d9 Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Use samba.tests.subunitrun in dsdb ldap and ldap_schema tests.Jelmer Vernooij2014-11-242-39/+50
| | | | | | Change-Id: I51ddc55720a23013a2c6ae20e3225f027348083c Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Use samba.tests.subunitrun in urgent replication test.Jelmer Vernooij2014-11-241-13/+4
| | | | | | Change-Id: I3e7a32876d557ac376326ab75e851298e874d584 Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* ldap: Use samba.tests.subunitrun.Jelmer Vernooij2014-11-221-19/+6
| | | | | | Change-Id: I872654afb31a5eda8c88aac716f9ce79816e5f05 Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* deletetest: use samba.tests.subunitrun.Jelmer Vernooij2014-11-221-60/+52
| | | | | | Change-Id: I13565c7c14ea186709ce1de9038ef840c5b766b8 Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* ldap_syntaxes: Use samba.tests.subunitrun.Jelmer Vernooij2014-11-221-24/+16
| | | | | | Change-Id: Ib62b747876b4408fdc8ff44e9b4c63578e1a6408 Signed-Off-By: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* password lockout: Use samba.tests.subunitrun.Jelmer Vernooij2014-11-221-99/+90
| | | | | | Change-Id: I848099d22acd4a0ce7d589de48eb72e2d180ceae Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* passwords: Use samba.tests.subunitrun.Jelmer Vernooij2014-11-221-119/+113
| | | | | | Change-Id: Ib806f63ef412fec264445eefd82146e5140b0bac Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* sec_descriptor: Use samba.tests.subunitrun.Jelmer Vernooij2014-11-221-16/+6
| | | | | | Change-Id: I5caba3e27ad21cc5381883a823e0ec5e2966a264 Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* token_group: Use samba.tests.subunitrun.Jelmer Vernooij2014-11-221-12/+8
| | | | | | Change-Id: Id7c247451532eded1f44ef9b1aa1808dd18098c6 Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* sites: Use samba.tests.subunitrun.Jelmer Vernooij2014-11-221-11/+6
| | | | | | Change-Id: Ic06e1a0f7174683b6b817a5412b8635145329c00 Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* sec_descriptor test: Simplify, use samba.tests.subunitrun module.Jelmer Vernooij2014-11-221-19/+13
| | | | | | Change-Id: I4ffda49cf3e209eaa28fc83f6fd9ded47f0ad7ee Signed-Off-By: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Move option handling into samba.tests.subunitrun.Jelmer Vernooij2014-11-221-8/+6
| | | | | | Change-Id: I65a73b74854af636413f4f284147f3bcf28b6f82 Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Move option parsing to samba.tests.subunitrun.Jelmer Vernooij2014-11-221-1/+1
| | | | | | Change-Id: I2939c1b6ebb9739530efa9bc4667668cff7a7aeb Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Add convenience class for old-style Samba subunit python tests.Jelmer Vernooij2014-11-221-13/+10
| | | | | | Change-Id: I84a97cc71cfa99c14e0c93ec19ff9eea6149bb5a Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dsdb.tests.acl: Create and run a single testsuite, should easy migration to ↵Jelmer Vernooij2014-11-191-34/+43
| | | | | | | | regulary Python unit tests. Change-Id: I89072d3af1d90e87a47c197d28943f47cedc5deb Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dsdb.tests.ldap: Create and run a single testsuite, should easy migration to ↵Jelmer Vernooij2014-11-191-116/+73
| | | | | | | | regulary Python unit tests. Change-Id: I07216ff1063e127b541bf4e5d6349d5a75cec678 Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dirsync test: Create and run a single testsuite, should easy migration to ↵Jelmer Vernooij2014-11-191-15/+12
| | | | | | | | regulary Python unit tests. Change-Id: I6fbffd6453f8af966938943f2895bd6d93f8fb59 Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* urgent_replication: Use subunit reporting, remove allow_empty_output.Jelmer Vernooij2014-10-141-72/+44
| | | | | | Change-Id: I6d479b218eff6c4292fbb99e4760bbd62ce1f380 Signed-Off-By: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dsdb: Do not attempt to return beyond the end of the password history arrayAndrew Bartlett2014-10-131-2/+2
| | | | | | | | | | | Found by AddressSanitizer Change-Id: I82e35aea60726053c79510ba8ed3eedfaf553eb7 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Matthieu Patou <mat@matws.net> Autobuild-User(master): Matthieu Patou <mat@samba.org> Autobuild-Date(master): Mon Oct 13 08:28:15 CEST 2014 on sn-devel-104
* dsdb: Fix a crash in an error returnVolker Lendecke2014-10-111-1/+1
| | | | | | | | | | | | | | In an error return we have /* Back it out, if it fails on one */ for (i--; i >= 0; i--) { ldb_next_del_trans(data->partitions[i]->module); } With unsigned int i this will spin and del_trans somewhere far off :-) Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* repl: Specify the target realm in dreplsrv_get_target_principal()Andrew Bartlett2014-09-301-2/+2
| | | | | | | | | | | | | We know what realm we need to contact, so avoid trying to correctly get a referral from our KDC. Andrew Bartlett Change-Id: I154ff72f3176d581b64e0c67d4a9c5f1f76b7924 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Sep 30 14:58:50 CEST 2014 on sn-devel-104
generated by cgit (git 2.34.1) at 2025-06-14 04:17:28 +0000