summaryrefslogtreecommitdiffstats
path: root/source4
Commit message (Collapse)AuthorAgeFilesLines
...
* s4-dsdb-test: Fix Undelete tests after subunit upgrade workKamen Mazdrashki2015-02-031-31/+31
| | | | | | | Change-Id: I4712a2a2163a57fde037511afcc1cb7bee05f12e Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb-test: Use case insensitive comparison for DNs in undelete testKamen Mazdrashki2015-02-031-1/+1
| | | | | | | Change-Id: I4a009bb7ed58ab857ac74a235bb5f580911f0d92 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb-test: Initial implementation for Tombstone restore test suiteKamen Mazdrashki2015-02-031-0/+285
| | | | | | | Change-Id: Ib35ff930b6e7cee14317328b6fe25b59eec5262c Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb: Some minor fixes in tombstone_reanimate, to make it work with aclNadezhda Ivanova2015-02-031-4/+4
| | | | | | | Change-Id: Idad221c7ecf778fd24f6017bb4c6eacac541086a Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb: Implementation of access checks on a undelete operationNadezhda Ivanova2015-02-031-18/+79
| | | | | | | | | | Special Reanimate-Tombstone access right is required, as well as most of the checks on a standard rename. Change-Id: Idae5101a5df4cd0d54fe4ab2f7e5ad7fc1c23648 Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb: Tests for security checks on undelete operationNadezhda Ivanova2015-02-031-1/+131
| | | | | | | | | | | Implemented according to MS-ADTS 3.1.1.5.3.7.1. Unfortunately it appears LC is also necessary, and it is not granted by default to anyone but System and Administrator, so tests had to be done negatively Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Change-Id: Ic03b8fc4e222e7842ec8a9645a1bb33e7df9c438
* s4-dsdb: Mark request during Tombstone reanimation with custom LDAP controlKamen Mazdrashki2015-02-031-0/+14
| | | | | | | | | | We are going to need this so that underlying modules (acl.c) can treat those requests properly Change-Id: I6c12069aa6e7e01197dddda6c610d930d3fd9cb0 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb: Implement rename/modify requests as local for the moduleKamen Mazdrashki2015-02-031-2/+96
| | | | | | | | | | | The aim is for us to be able to fine tune the implementation and also add custom LDAP controls to mark all requests as being part of Reanimation procedure Change-Id: I9f1c04cd21bf032146eb2626d6495711fcadf10c Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb: Add documentation link for Tombstone ReanimationKamen Mazdrashki2015-02-031-1/+1
| | | | | | | Change-Id: Ib779c8b0839889371f25ad5751c9cda1a510eb54 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb: Define internal dsdb control to mark Tombstone reanimation requestsKamen Mazdrashki2015-02-032-0/+9
| | | | | | | | | | | | | | | | Tombstone reanimation requries some special handling which is going to affect several modules. Most notably: - a bit different access checks in acl.c - restore certain attributes during modify requests in samldb.c Control added also to schema_samba4.ldif by Andrew Bartlett hence the "pair programmed with" tag. Change-Id: Ief4f7dabbbdc2570924fae48c30ac9c531a701f4 Pair-programmed-with: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb: Make use dsdb_make_object_category() for objectCategoryKamen Mazdrashki2015-02-031-52/+1
| | | | | | | Change-Id: If65c54a653ad7078ca7a535b5c247db2746b5be7 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb: Make most specific objectCategory for an objectKamen Mazdrashki2015-02-031-0/+67
| | | | | | | | | | | | This is lightweight implementation and should be used on objects with already verified objectClass attribute value - eg. valid classes, sorted properly, etc. Checkout objectclass.c module for heavy weight implementation. Change-Id: Ifa7880d26246f67e2f982496fcc6c77e6648d56f Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb: Initialize module context only we are to handle Tombstone requestKamen Mazdrashki2015-02-031-5/+5
| | | | | | | Change-Id: I73bd2043e96907e3d1a669bdbd943ddee1df8c0a Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb: Return error codes as windows does for Tombstone reanimationKamen Mazdrashki2015-02-031-0/+4
| | | | | | | | | | | | Tested against Windows Server 2008 R2 In case we try to restore to already existing object, windows returns: LDB_ERR_ENTRY_ALREADY_EXISTS Otherwise it is: LDB_ERR_OPERATIONS_ERROR Change-Id: I6b5fea1e327416ccf5069d97a4a378a527a25f80 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb-tests: Fix whitespace in deletetest.pyKamen Mazdrashki2015-02-031-1/+1
| | | | | | | Change-Id: Ic2924b0aa9cffd29fe0c857317ccb65ba53a1c21 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb-tests: Make unique object names to test with in deletetestKamen Mazdrashki2015-02-031-10/+18
| | | | | | | | | This way we can re-run the test again and again Change-Id: I29bd878b77073d94a279c38bd0afc2f0befa6f9d Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb-tests: Remove unused method get_ldap_connection()Kamen Mazdrashki2015-02-031-13/+0
| | | | | | | Change-Id: Ie50f77dbba724dbd3c2822de5c2cfff41016fac6 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb-tests: Remove trailing ';' in deletetest.pyKamen Mazdrashki2015-02-031-2/+2
| | | | | | | Change-Id: Ic1ad6bbda55be56cbf7ae78a8ad988b8e479a40c Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb: Insert tombstone_reanimate module in ldb modules chain after ↵Kamen Mazdrashki2015-02-031-0/+1
| | | | | | | | | objectclass Change-Id: Id9748f36f0aefe40b1894ecd2e5071e3b9c8a6d6 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb: Initial implementation for Tombstone reanimation moduleKamen Mazdrashki2015-02-032-1/+266
| | | | | | | | | | | | | | | | | | At the moment it works for basic scenario: - add user - delete user - restore deleted user TODO: - security checks - flags verification - cross-NC checks - asynchronous implementation (may not be needed, but anyway) Change-Id: If396a6dfc766c224acfeb7e93ca75703e08c26e6 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4-dsdb-tests: Some tests for deleted objects undelete operationNadezhda Ivanova2015-02-031-5/+198
| | | | | | | | | | Based on MS-ADTS 3.1.1.5.3.7.2 Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Change-Id: I650b315601fce574f9302435f812d1dd4b177e68
* s4-torture: the new krb5 kdc tests are heimdal, not dc specific.Günther Deschner2015-01-261-1/+1
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s4:rpc_server: add support for DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEMStefan Metzmacher2015-01-262-0/+39
| | | | | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Mon Jan 26 14:23:50 CET 2015 on sn-devel-104
* s4:rpc_server: pass the remote address to gensec_set_remote_address()Stefan Metzmacher2015-01-261-1/+15
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* s4:rpc_server/lsa: add dcesrv_lsa_OpenTrustedDomain_common()Stefan Metzmacher2015-01-261-75/+101
| | | | | | | | | | | | | dcesrv_lsa_OpenTrustedDomain() and dcesrv_lsa_OpenTrustedDomainByName() need to use the same logic and make sure trusted_domain_user_dn is valid. Otherwise dcesrv_lsa_OpenTrustedDomainByName() followed by dcesrv_lsa_DeleteObject() will leave the trust domain account in the database. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* s4:rpc_server/netlogon: fix bugs in dcesrv_netr_DsRGetDCNameEx2()Stefan Metzmacher2015-01-261-8/+14
| | | | | | | | We should return the our ip address the client is connected too. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* s4:dsdb/tests: add test_timevalues1() to verify timestamp valuesStefan Metzmacher2015-01-241-0/+40
| | | | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=9810 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Sat Jan 24 20:17:20 CET 2015 on sn-devel-104
* selftest: Run krb5.kdc test against users with a UPNAndrew Bartlett2015-01-231-2/+2
| | | | | | | | | | | This tests both a UPN in our own realm, and a UPN with a non-realm suffix. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Jan 23 08:10:07 CET 2015 on sn-devel-104
* torture-krb5: Check for UPN hanlding in krb5.kdc.canon testAndrew Bartlett2015-01-231-18/+90
| | | | | | | | | This allows us to confirm correct behaviour when a UPN is in use, particularly with the canonicalize flag and with enterprise principal names Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Correctly return the krbtgt/realm@REALM principal from our KDCAndrew Bartlett2015-01-231-25/+31
| | | | | | | | | | This needs to vary depending on if the client requested the canonicalize flag This was found by our new krb5.kdc test Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Move checking of server and client names to krb5.kdc.canonAndrew Bartlett2015-01-232-20/+25
| | | | | | | | This keeps this test in one place, rather than duplicated between krb5.kdc and krb5.kdc.canon Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Move test of krb5_get_init_creds_opt_set_win2k to krb5.kdc.canonAndrew Bartlett2015-01-232-25/+11
| | | | | | | | | | This allows the impact of this to be verified with the other options we are setting This also removes duplication in the kdc.c testsuite. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Split the expected behaviour of the RODC upAndrew Bartlett2015-01-233-7/+14
| | | | | | | | The expectations of the cached accounts are different to those of the RODC in general. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-kdc: Skip the request-pac behaviour for now against an RODCAndrew Bartlett2015-01-231-0/+3
| | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Add commentsAndrew Bartlett2015-01-232-0/+79
| | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Add TODO to remind us where we need to hook for RODC to get secretsAndrew Bartlett2015-01-231-0/+1
| | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Fix Samba's KDC to only change the principal in the right casesAndrew Bartlett2015-01-231-9/+23
| | | | | | | | | | | | | | | | If we are set to canonicalize, we get back the fixed UPPER case realm, and the real username (ie matching LDAP samAccountName) Otherwise, if we are set to enterprise, we get back the whole principal as-sent Finally, if we are not set to canonicalize, we get back the fixed UPPER case realm, but the as-sent username Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Add tests for combinations of enterprise, cannon, and ↵Andrew Bartlett2015-01-234-6/+408
| | | | | | | | | | | different input principals This combinational test confirms the interactions between a number of differnet kerberos flags and principal types. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz>
* torture: Extend krb5.kdc test to confirm correct RODC proxy behaviourAndrew Bartlett2015-01-232-5/+26
| | | | | | | | | | | The RODC should answer some requests locally, and others it should defer to the main DC. We can tell which KDC we talk do by the KVNO of the encrypted parts that are returned to the KDC. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Fix enterpise principal name handlingAndrew Bartlett2015-01-232-11/+24
| | | | | | | | | | | | Based on a patch by Samuel Cabrero <scabrero@zentyal.com> This ensures we write the correct (implict, samAccountName) based UPN into the ticket, rather than the userPrincipalName, which will have a different realm. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz>
* heimdal: Ensure that HDB_ERR_NOT_FOUND_HERE, critical for the RODC, is not ↵Andrew Bartlett2015-01-231-4/+19
| | | | | | | | | | | overwritten This change ensures that our RODC will correctly proxy when asked to provide a ticket for a service or user where the keys are not on this RODC. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* heimdal: Really bug in KDC handling of enterprise princsNicolas Williams2015-01-231-3/+2
| | | | | | | | | | | | | | | The value of this commit to Samba is to continue to match Heimdal's upstream code in this area. Because we set HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL there is no runtime difference. (commit message by Andrew Bartlett) Cherry-pick of Heimdal commit 9aa7883ff2efb3e0a60016c9090c577acfd0779f Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal: Fix bug in KDC handling of enterprise principalsNicolas Williams2015-01-231-35/+38
| | | | | | | | | | | | | | The useful change in Samba from this commit is that we gain validation of the enterprise principal name. (commit message by Andrew Bartlett) Cherry-pick of Heimdal commit c76ec8ec6a507a6f34ca80c11e5297146acff83f Reviewed-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* torture: Extend KDC test to cover more options and modesAndrew Bartlett2015-01-231-7/+147
| | | | | | Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture: Decode expected packets and test KDC behaviour for wrong passwordsAndrew Bartlett2015-01-231-9/+164
| | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture: Additionally run testsuite for krb5 and KDC behaviour against all ↵Andrew Bartlett2015-01-231-5/+5
| | | | | | | | the DC envs Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture: Additionally run testsuite for krb5 and KDC behaviour with ↵Andrew Bartlett2015-01-231-0/+4
| | | | | | | | unprivileged accounts Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture: Run new testsuite for krb5 and KDC behaviour with machine account alsoAndrew Bartlett2015-01-232-6/+15
| | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture: Start a new testsuite for krb5 and KDC behaviourAndrew Bartlett2015-01-236-37/+226
| | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* Remove use of the "staticforward" macroPetr Viktorin2015-01-222-2/+2
| | | | | | | | | | This macro was used for compatibility with broken compilers. Since Python 2.3, it is always defined as `static`, and only exists "for source compatibility with old C extensions". Signed-off-by: Petr Viktorin <pviktori@redhat.com> Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
generated by cgit (git 2.34.1) at 2025-09-27 18:35:35 +0000