summaryrefslogtreecommitdiffstats
path: root/source4/dsdb/common
Commit message (Collapse)AuthorAgeFilesLines
* dsdb: Allow SAMR server to return the computed, not actual badPwdCountAndrew Bartlett2014-04-021-11/+49
| | | | | | | | | | | | This matters after the lockout observation period has expired. Note: that QueryUserInfo level 3 returns the raw badPwdCount value. Andrew Bartlett Change-Id: I7b304a50984072bc6cb1daf3315b4427443632a9 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: check type with talloc_get_type_abort in samdb_set_passwordAndrew Bartlett2014-04-021-2/+5
| | | | | | Change-Id: Ie5b534c70dd87ecf58d6a830e38750ecf16eb855 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Move dsdb_update_bad_pwd_count to dsdb/common/util.cAndrew Bartlett2014-04-021-0/+113
| | | | | | | | | | This allows the password_hash code to call the same update routine. Andrew Bartlett Change-Id: I3d954469defa3f5d26ffc5ae0583ec7e1957ea11 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Add samdb_result_passwords_from_history helper functionAndrew Bartlett2014-04-021-0/+37
| | | | | | Change-Id: I949c6c64551f68c4381b41b30120874ead82949e Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: give a better error message and return code on failed password changeAndrew Bartlett2014-04-021-0/+5
| | | | | | Change-Id: I064a7e192caccbb5acc17ba385f1625425c176d1 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Put password lockout support in samdb_result_passwords()Andrew Bartlett2014-04-021-2/+27
| | | | | | | | | | | | This seems to be the best choke point to check for locked out accounts, as aside from the KDC, all the password authentication and change callers use it. Andrew Bartlett Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Rework samdb_result_acct_flags to use either userAccountControl or ↵Andrew Bartlett2014-04-021-17/+13
| | | | | | | | | | | | | | | | msDS-User-Account-Control-Computed This allows us to avoid the domain lookup in the constructed attribute when not required. By using msDS-User-Account-Control-Computed the lockout and password expiry checks are now handled in the operational ldb module. Andrew Bartlett Change-Id: I6eb94933e4602e2e50c2126062e9dfa83a46191b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:dsdb/util_samr: simplify dsdb_add_user()Stefan Metzmacher2014-04-021-42/+8
| | | | | | | | We can specify userAccountControl on the ldb_add() call. Change-Id: Ic990a74eaf9b38ddc1db3183a964972c786dbfdf Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Remove a number of NT_STATUS_HAVE_NO_MEMORY_AND_FREE macros from the codebase.Garming Sam2014-03-051-1/+4
| | | | | | | | | | | Following the current coding guidelines, it is considered bad practice to return from within a macro and change control flow as they look like normal function calls. Change-Id: I133eb5a699757ae57b87d3bd3ebbcf5b556b0268 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* dsdb: Add more tests for DN+String and DN+Binary comparisonsAndrew Bartlett2014-02-051-0/+14
| | | | | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Feb 5 10:41:37 CET 2014 on sn-devel-104
* dsdb: Refuse to return an all-zero invocationIDAndrew Bartlett2013-09-191-0/+8
| | | | | | | | | This could cause an all-zero GUID to be entered into the replPropertyMetaData, which will then fail to be replicated to other DCs. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* python/drs: Ensure to pass in the local invocationID during the domain joinAndrew Bartlett2013-09-191-0/+2
| | | | | | | | | | This ensures (and asserts) that we never write an all-zero GUID as an invocationID to the database in replPropertyMetaData. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: remove a wrong comment in dsdb_check_access_on_dn_internal()Stefan Metzmacher2013-06-131-4/+1
| | | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Jun 13 18:19:24 CEST 2013 on sn-devel-104
* dsdb: don't allow a missing nTSecurityDescriptor in ↵Stefan Metzmacher2013-06-131-3/+3
| | | | | | | | | | dsdb_get_sd_from_ldb_message() Every object has a nTSecurityDescriptor attribute. This also avoids potential segfaults in the callers. Signed-off-by: Stefan Metzmacher <metze@samba.org>
* dsdb: use AS_SYSTEM | SHOW_RECYCLED for access check searchesStefan Metzmacher2013-06-131-1/+7
| | | | | | | | | We need AS_SYSTEM in order to get the nTSecurityDescriptor attribute. Also the result of this search not controlled by the client nor is the result exposed to the client. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dsdb: Allow dsdb_find_dn_by_guid to show deleted DNsAndrew Bartlett2013-06-121-2/+4
| | | | | | | | | This helps us in the KCC as we need to return the deleted DN for the GUID in DsReplicaGetInfo calls (tested for deleted servers against Windows 2008R2). Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:dsdb: Fix warnings about not set / set but unused / shadowed variablesMatthieu Patou2013-04-191-3/+0
| | | | | | | Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Apr 19 13:15:40 CEST 2013 on sn-devel-104
* dsdb: Check for pointers before we deference them.Andreas Schneider2013-03-051-7/+7
| | | | Reviewed-by: David Disseldorp <ddiss@samba.org>
* dsdb/util: rework samdb_check_password() to support utf8Stefan Metzmacher2013-02-041-5/+16
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* dsdb: Ensure "authenticated users" is processed for group membershipsAndrew Bartlett2013-01-211-0/+25
| | | | | | | | | | | | | | | | | | This change moves the addition of "Authenticated Users" from the very end of the token processing to the start. The reason is that we need to see if "Authenticated Users" is a member of other builtin groups, just as we would for any other SID. This picks up the "Pre-Windows 2000 Compatible Access" group, which is in turn often used in ACLs on LDAP objects. Without this change, the eventual token does not contain S-1-5-32-554 and users other than "Administrator" are unable to read uidNumber (in particular). Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/security: handle node initialisation in one spot in ↵Andrew Bartlett2013-01-211-3/+2
| | | | | | | | | | | | | | | | | | | | | | | insert_in_object_tree() This removes special-case for initalising the children array in insert_in_object_tree(). talloc_realloc() handles the intial allocate case perfectly well, so there is no need to have this duplicated. This also restores having just one place were the rest of the elements are intialised, to ensure uniform behaviour. To do this, we have to rework insert_in_object_tree to have only one output variable, both because having both root and new_node as output variables was too confusing, and because otherwise the two pointers were being allowed to point at the same memory. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/common: use 01.01.1970 as last_sync_success for our entry in the ↵Stefan Metzmacher2013-01-011-3/+4
| | | | | | | | | uptodatevector This matches a Windows 2008R2 and 2012 server. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/common: use LDB_SEQ_HIGHEST_SEQ for our entry in the uptodatevectorStefan Metzmacher2013-01-011-2/+2
| | | | | | | | | We should use the global highestCommittedUSN, not the per partition value. This matches a Windows 2008R2 and 2012 server. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/common: only pass the DSDB_CONTROL_PASSWORD_HASH_VALUES_OID if requiredStefan Metzmacher2012-12-111-7/+11
| | | | | | | | This should give the password_hash module a chance to detect if the called was the cleartext password or not. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/common: add pekList and msDS-ExecuteScriptPassword to ↵Stefan Metzmacher2012-11-301-0/+2
| | | | | | | | | DSDB_SECRET_ATTRIBUTES_EX See [MS-ADTS] 3.1.1.4.4 Extended Access Checks. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* dsdb: Rename _res argument to _result.Jelmer Vernooij2012-11-061-6/+6
| | | | | | | | Newer versions of heimdal include a macro that is unfortunately named '_res'. This change prevents the clash. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4-dsdb: Remove unused variablesAndrew Bartlett2012-09-011-3/+0
| | | | | Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Sep 1 05:10:47 CEST 2012 on sn-devel-104
* s4-dsdb: Remove unused tmp_ctx leaked onto long-term ldb_contextAndrew Bartlett2012-09-011-2/+0
| | | | | | | This was found based on a log provided by Ricky Nance <ricky.nance@weaubleau.k12.mo.us>. Thanks Ricky! Andrew Bartlett
* s4-dsdb: Use samdb_dn_is_our_ntdsa()Andrew Bartlett2012-08-141-14/+3
| | | | | | | This uses a GUID based comparison, and avoids re-fetching the samdb_ntds_settings_dn each time. Andrew Bartlett
* s4-dsdb: Add samdb_dn_is_our_ntdsa()Andrew Bartlett2012-08-141-0/+25
| | | | | | This is like samdb_reference_dn_is_our_ntdsa but without the attribute de-reference. Andrew Bartlett
* s4-dsdb: Use samdb_reference_dn_is_our_ntdsa()Andrew Bartlett2012-08-141-35/+4
|
* s4-dsdb: Add helper function samdb_reference_dn_is_our_ntdsa()Andrew Bartlett2012-08-141-1/+39
| | | | | | | | We often want to know if we own an FSMO role (for example). This tries to be more efficient by comparing the GUID, rather than the string DN, as this does not need to be re-fetched each time. Andrew Bartlett
* s4-dsdb: Use ldb_dn_copy() rather than talloc_reference()Andrew Bartlett2012-08-141-1/+1
| | | | | | | | | As the normal case (outside provision) uses a copy, this avoids a case where a caller might modify a global variable accidentily. As suggested by metze. Andrew Bartlett
* s4-libnet: Improve debugging of libnet_BecomeDC LDAP errorsAndrew Bartlett2012-08-141-0/+2
|
* s4-dsdb: Add mem_ctx argument to samdb_ntds_settings_dnAndrew Bartlett2012-08-141-10/+18
| | | | | | | | | | | | | | As this value is calculated new each time, we need to give it a context to live on. If the value is the forced value during provision, a reference is taken. This was responsible for the memory leak in the replication process. In the example I was given, this DN appeared in memory 13596 times! Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Aug 14 10:05:14 CEST 2012 on sn-devel-104
* s4-dsdb: Add constAndrew Bartlett2012-08-141-4/+4
|
* s4-dsdb when setting DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID make it ↵Andrew Bartlett2012-06-271-1/+7
| | | | non-critical
* s4:dsdb/common/util.c - samdb_is_pdc() - fail if the "fSMORoleOwner" ↵Matthias Dieter Wallnöfer2012-04-291-1/+5
| | | | attribute has not been set
* Move NS_GUID_string and NS_GUID_from_string to dsdb-common.Jelmer Vernooij2012-03-202-0/+62
|
* s4-lib: Remove unused samdb_msg_set_value()Ricky Nance2012-02-251-15/+0
| | | | | | Found by callcatcher. Ricky Nance
* s4-lib: Remove unused samdb_msg_set_string()Ricky Nance2012-02-251-15/+0
| | | | | | Found by callcatcher. Ricky Nance
* s4-lib: Remove unused samdb_msg_set_int()Ricky Nance2012-02-251-15/+0
| | | | | | Found by callcatcher Ricky Nance
* dsdb: Allow DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID to be specified as a flagAndrew Bartlett2012-01-242-0/+8
|
* s4:dsdb/common/util.c - test LDB result against LDB_SUCCESS as we are always ↵Matthias Dieter Wallnöfer2011-12-091-1/+1
| | | | | | | doing Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Fri Dec 9 12:00:03 CET 2011 on sn-devel-104
* dsdb: Fix the password expiry calculationAmitay Isaacs2011-11-181-1/+1
| | | | | | | | As per Section 3.1.1.4.5.26 [MS-ADTS.pdf], password is expired if pwdLastSet = null, or pwdLastSet = 0, or (maxPwdAge != 0x8000000000000000 and (ST - pwdLastSet) > maxPwdAge)
* dsdb: Handle the case when extended rights string is NULLAmitay Isaacs2011-11-021-4/+7
| | | | | | | | | Pair-Programmed-With: Andrew Tridgell <tridge@samba.org> Signed-off-by: Andrew Tridgell <tridge@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Wed Nov 2 07:03:40 CET 2011 on sn-devel-104
* s4-dsdb: fixed re-join of subdomainAndrew Tridgell2011-10-041-3/+4
| | | | | | if we repeat the join of a subdomain then we try to re-create the NC for the subdomain during a DsAddEntry(). This allows that re-creation to succeed if the NC already exists
* s4-dsdb: simplify samdb_is_gc()Andrew Tridgell2011-10-041-28/+2
| | | | we already have a function for returning the NTDS options
* s4-dsdb: added new control DSDB_MODIFY_PARTIAL_REPLICAAndrew Tridgell2011-10-042-0/+67
| | | | | | | | this control tells the partition module that the DN being created is a partial replica, so it should modify the @PARTITION object to add the partialReplica attribute Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-dsdb: added NO_GLOBAL_CATALOG controlAndrew Tridgell2011-09-222-1/+11
| | | | | | | this control is used to ask samdb to not return searches with a basedn in partial repica partitions, which is needed to support the difference between a search on the 3268 GC ldap port and the non-GC 389 port
generated by cgit (git 2.34.1) at 2024-10-01 11:36:32 +0000