summaryrefslogtreecommitdiffstats
path: root/source4
Commit message (Collapse)AuthorAgeFilesLines
* heimdal: added verbose logging of hemimdal crypto errorsAndrew Bartlett2010-09-301-2/+15
|
* s4-rodc: don't set SPECIAL_SECRET_PROCESSING on EXOP_REPL_SECRETAndrew Tridgell2010-09-301-0/+3
| | | | | | otherwise we don't get the secrets! Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-spn: don't try and send an empty SPN listAndrew Tridgell2010-09-301-0/+2
| | | | Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* selftest: Let selftest provide the tempdir, rather than creating it as ↵Jelmer Vernooij2010-10-012-6/+2
| | | | sideeffect of tests.py.
* selftest: fixed a selftest error on snAndrew Tridgell2010-09-301-1/+1
| | | | Pair-Programmed-With: Jelmer Vernooij <jelmer@samba.org>
* delete_object: Remove unnecessary pass calls.Jelmer Vernooij2010-10-011-7/+0
|
* s4-selftest: Remove unnecessary PYTHONPATH overrides.Jelmer Vernooij2010-10-011-6/+6
|
* s4-selftest: Normalize paths.Jelmer Vernooij2010-10-011-5/+5
|
* s4-selftest: Finish conversion of selftest.sh to Python.Jelmer Vernooij2010-10-012-104/+104
|
* s4-selftest: Convert tests.sh to Python.Jelmer Vernooij2010-10-012-544/+510
|
* s4-provision: wipe the old keytabs when provisioningAndrew Tridgell2010-09-302-7/+29
| | | | Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-rodc: fixed the keyVersionNumber on the RODC account in secrets.keytabAndrew Tridgell2010-09-301-2/+5
| | | | | | we need to fetch the msDS-keyVersionNumber from the writeable DC Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-drs: put the GCSPN flag into the repsTo if requestedAndrew Tridgell2010-09-302-0/+8
| | | | Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-libnet: wipe the old keytab when exportingAndrew Tridgell2010-09-301-0/+2
| | | | | | this prevents confusion with old keytab entries Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-dsdb: silence the domainFunctionality not setup warningAndrew Tridgell2010-09-301-1/+2
|
* s4-drs: added support for level 10 of getncchangesAndrew Tridgell2010-09-302-73/+112
| | | | added a simple mapping from req8
* LDAPCmp feature to compare nTSecurityDescriptorsZahari Zahariev2010-09-301-34/+252
| | | | | | | | | | | | | | | | | New feature that enables LDAPCmp users to find unmatched or missing ACEs in objects for the three naming contexts between DCs in one domain (default) or different domains. Comparing security descriptors is not the default action but attribute compatison. So to activate the new mode there is --sd switch. However there are two view modes to the new --sd action which are 'section' (default) or 'collision'. In 'section' mode you can only find differences connected to missing or value unmatched ACEs but not disorder unmatch if ACE values and count are the same. All of the mentioned differences plus disorder ACE unmatch you can observe under 'collision' view however it is more verbose. Signed-off-by: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
* s4-selftest: Add some more comments to skip file.Jelmer Vernooij2010-09-301-1/+4
|
* selftest: Eliminate some unnecessary spaces.Jelmer Vernooij2010-09-301-36/+36
|
* s4-drepl: don't call UpdateRefs on a RODCAndrew Tridgell2010-09-291-5/+11
| | | | | | we use the ADD_REF bit in getncchanges instead Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
* s4-drepl: fixed the checking of replica_flags in the drepl serverAndrew Tridgell2010-09-291-7/+0
| | | | | | we were incorrectly avoiding a getncchanges when WRIT_REP was not set Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
* s4-kcc: fixed the replica_flags in repsFrom in the kccAndrew Tridgell2010-09-291-31/+72
| | | | | | | if our calculated replica_flags doesn't match the ones in our repsFrom then update it Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
* s4-dns: send A record updates via TKEYAndrew Tridgell2010-09-301-1/+6
|
* s4-smbtorture: add new EnumPrinters test to test printername/servernameGünther Deschner2010-09-301-13/+207
| | | | | | behaviour in EnumPrinter and GetPrinter calls. Guenther
* s4-samldb: also set a password on the krbtgt_NNNN accountAndrew Tridgell2010-09-291-0/+11
| | | | | | | when we setup the krbtgt_NNNN account using the DCPROMO_OID control, we also need to set an initial password for this account Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-devel: added new options to getncchanges scriptAndrew Tridgell2010-09-291-9/+65
| | | | | | added --pas, --dest-dsa and --replica-flags options Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
* s4-drs: implement PAS checks and access checks for getncchangesAndrew Tridgell2010-09-291-26/+130
| | | | | | | | | | | This implements partial attribute set checking on getncchanges. If the client sends a partial_attribute_set then we only return the specified attributes. This also implements access checking on the NC root for the access right GUIDs for requests with and without reveal secrets Pair-Programmed-With: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
* s4-drs: added drs_security_access_check_nc_root()Andrew Tridgell2010-09-292-12/+63
| | | | this checks securiity on the NC root of the specified naming context
* s4-sam: added DOMAIN_RID_ENTERPRISE_READONLY_DCS for RODCs in the PACAndrew Tridgell2010-09-291-0/+16
| | | | Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-spnupdate: when we are a RODC we need to use the WriteSPN DRS callAndrew Tridgell2010-09-291-10/+57
| | | | | we can't do SPN updates via sam writes and replication, as the sam is read-only
* s4-drsutils: expose DsBind() call in drs_utils.pyAndrew Tridgell2010-09-291-37/+38
| | | | this will be used by samba_spnupdate
* s4-kerberos: use TZ=GMT when we are invoking krb5 code in helpersAndrew Tridgell2010-09-292-0/+12
| | | | | | | | | | | Our helper scripts can fail on Fedora with the PDT timezone (Western USA). This is the same issue we found with Heimdal earlier today, the 24 second difference between GMT and UTC, but this time in MIT Kerberos as linked into bind9. By forcing TZ=GMT in these scripts we avoid the problem Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-rodc: RODC should not accept requests for role transferNadezhda Ivanova2010-09-291-0/+12
| | | | | A RODC cannot assume a role, and unwillingToPerform must be returned if such request is sent via LDAP
* s4-provision: simplify our generated krb5.confAndrew Tridgell2010-09-281-14/+1
| | | | | | | | we don't want to force the KDC to be ourselves, we should be using DNS to find a live KDC. Also remove some other options and allow the krb5 lib to use defaults. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-kdc: RODC DCs should be able to produce forwardable ticketsAndrew Tridgell2010-09-281-1/+1
| | | | Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* heimdal: fixed timegm UTC/GMT bugAndrew Tridgell2010-09-281-15/+6
| | | | | | | | | | | This was a wonderful bug! On some Fedora systems, but not on Ubuntu, there is a difference between UTC and GMT. Heimdal replaced timegm() with _der_timegm() which did not account for that difference (which is 24 seconds at the moment). This led to a mutual authentication failure. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-sam: fixed termination of krbtgt_attrs (comma and NULL)Andrew Tridgell2010-09-281-4/+4
| | | | Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* ldb-dn: don't crash on NULL in ldb_binary_encode_string()Andrew Tridgell2010-09-281-0/+3
| | | | Thanks to Nadya for finding this one!
* s4-kdc Ensure that an RODC may act as a server (needed to fillAndrew Bartlett2010-09-281-5/+24
| | | | | | the krbtgt role). Andrew Bartlett
* heimdal Use a seperate krb5_auth_context for the delegated credentialsAndrew Bartlett2010-09-283-1/+35
| | | | | | | If we re-use this context, we overwrite the timestamp while talking to the KDC and fail the mutual authentiation with the target server. Andrew Bartlett
* s4-drs: added support for DRSUAPI_EXOP_REPL_OBJAndrew Tridgell2010-09-281-1/+32
| | | | this extended getncchanges operation replicates a single object
* ldb-tdb: ignore failure to register control on rootdseAndrew Tridgell2010-09-281-4/+1
| | | | this is expected for non-sam LDBs
* s4-drs: use drs_ObjectIdentifier_*() calls in getncchangesAndrew Tridgell2010-09-281-14/+16
| | | | this allows for replication by GUID or SID
* s4-drs: moved the drs_ObjectIdentifier handling to dsdb_dn.cAndrew Tridgell2010-09-282-44/+42
| | | | | | | this will be used outside of the drs server. This also fixes the handling of the ndr_size elements of the drs_ObjectIdentifier
* waf: we don't need the preprocessor recursion limit any moreAndrew Tridgell2010-09-281-3/+0
| | | | thanks to ita for this
* s4-drs: Added check for drs-manage-topology to updateRefs.Nadezhda Ivanova2010-09-281-7/+9
|
* s4-drs: Added drs_security_access_check functionNadezhda Ivanova2010-09-282-0/+64
| | | | | It takes a security token, an ldb_context, and the desired CAR and checks if the principal has this CAR granted
* s4-dsdb: adapted check_access_on_dn for use in drs.Nadezhda Ivanova2010-09-281-9/+10
|
* heimdal Fix DNS name qualification to not mangle IP addressesAndrew Bartlett2010-09-291-5/+23
| | | | | | | | | If the host running this code used IPv6 forms for IPv4 addreses then the check for '.' would not be sufficient to determine that this isn't a name we should mangle. Instead, check if it can be parsed as a numeric address first, and only then mangle. Andrew Bartlett
* s4-kdc Handle the case where we may be given a ticket from an RODC in db layerAndrew Bartlett2010-09-296-37/+83
| | | | | | | | This includes rewriting the PAC if the original krbtgt isn't to be trusted, and reading different entries from the DB for the krbtgt depending on the krbtgt number. Andrew Bartlett
generated by cgit (git 2.34.1) at 2024-09-25 14:25:53 +0000