summaryrefslogtreecommitdiffstats
path: root/source4/dsdb
Commit message (Collapse)AuthorAgeFilesLines
...
* dsdb: Make linked_attributes module GUID based for renamesAndrew Bartlett2013-01-121-13/+64
| | | | | | | | | | | | | | | This ensures that when we have the backlink out of sync with the forward link (perhaps due to another operation that has put the backlink handling in an end-of-transaction TODO list in repl_meta_data) that we do not error out, we just cope as well as we can. The GUID is the unique identifier, not the DN. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Sat Jan 12 12:52:28 CET 2013 on sn-devel-104
* dsdb-acl: give error string if we can not obtain the schemaAndrew Bartlett2013-01-101-2/+3
| | | | Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:dsdb/drepl: update the source_dsa_obj/invocation_id in repsFromStefan Metzmacher2013-01-011-0/+4
| | | | | | | The highwatermark is relative to the source_dsa_invocation_id. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/common: use 01.01.1970 as last_sync_success for our entry in the ↵Stefan Metzmacher2013-01-011-3/+4
| | | | | | | | | uptodatevector This matches a Windows 2008R2 and 2012 server. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/common: use LDB_SEQ_HIGHEST_SEQ for our entry in the uptodatevectorStefan Metzmacher2013-01-011-2/+2
| | | | | | | | | We should use the global highestCommittedUSN, not the per partition value. This matches a Windows 2008R2 and 2012 server. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/repl_meta_data: don't merge highwatermark and uptodatevector (bug #9508)Stefan Metzmacher2013-01-011-38/+1
| | | | | | | | | We should not do any magic regarding the highwatermark we got from the source dsa. We need to treat it as opaque and not try to be smart and merge it into the uptodatevector. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/repl_meta_data: also update the last_sync_success in replUpToDateVectorStefan Metzmacher2013-01-011-5/+1
| | | | | | | This matches Windows 2008R2 and Windows 2012. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/repl_meta_data: store the last results and timestamps in the repsFromStefan Metzmacher2013-01-011-0/+3
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/repl_meta_data: always treat the highwatermark as opaque (bug #9508)Stefan Metzmacher2013-01-011-1/+0
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4-dsdb: Make it clear that we want to fall trough here.Andreas Schneider2012-12-211-0/+1
| | | | | | | Found by Coverity. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* s4:dsdb/password_hash: do the min password age checks firstMichael Adam2012-12-111-11/+13
| | | | | | | Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Michael Adam <obnox@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s4:dsdb/common: only pass the DSDB_CONTROL_PASSWORD_HASH_VALUES_OID if requiredStefan Metzmacher2012-12-111-7/+11
| | | | | | | | This should give the password_hash module a chance to detect if the called was the cleartext password or not. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/password_hash: Honor password complexity settings.Stefan Metzmacher2012-12-111-5/+0
| | | | | | | | | | | | | | | | | | | | | | | | Honor password complexity settings when creating new users. Without this patch, you could set simple passwords although the complexity settings were enabled. This was an issue with 'samba-tool user add' and also when adding new users via Windows' "Active Directory Users and Computers" MMC Snap-In. The following scenarios were tested successfully after applying the patch: -'samba-tool user add' against s4 -'samba-tool user add -H' against a Windows DC -Adding a new user on a s4 DC using Windows' "Active Directory Users and Computers" MMC Snap-In. Please note that this bug was caused by a mistake in the documentation. Fix bug #9414 - 'samba-tool user add' ignores password complexity settings. Pair-programmed-with: Karolin Seeger <kseeger@samba.org> Pair-Programmed-With: Michael Adam <obnox@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Michael Adam <obnox@samba.org>
* Revert "s4:dsdb/password_hash: Honor password complexity settings."Stefan Metzmacher2012-12-111-7/+1
| | | | | | | | | This reverts commit f8056b7a6998e002f473b0ad79eee046236a7032. A better fix will follow. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/descriptor: pass object_list to create_security_descriptor()Stefan Metzmacher2012-12-111-2/+13
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/tests/sec_descriptor: verify the search of a windows dc join keeps ↵Stefan Metzmacher2012-12-101-0/+7
| | | | | | | | | | | | working This is a regression test for bug #9470. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Mon Dec 10 15:41:12 CET 2012 on sn-devel-104
* s4:dsdb/tests/sec_descriptor: verify the nTSecurityDescriptor and sd_flags ↵Stefan Metzmacher2012-12-101-0/+116
| | | | | | | | | interaction This is a regression test for bug #9470. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/operational: fix stripping of the nTSecurityDescriptor attributeStefan Metzmacher2012-12-101-2/+12
| | | | | | | | | | | If the sd_flags control is specified, we should return nTSecurityDescriptor only if the client asked for all attributes. If there's a list of only explicit attribute names, we should ignore the sd_flags control. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/acl_read: return the nTSecurityDescriptor attr if the sd_flags ↵Stefan Metzmacher2012-12-101-2/+9
| | | | | | | | | control is given (bug #9470) Not returning the nTSecurityDescriptor causes a lot of problems. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/acl_read: give some variables a better nameStefan Metzmacher2012-12-101-10/+13
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/acl_read: fix the calculation of the attribute array for the sub searchStefan Metzmacher2012-12-101-14/+19
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/acl_read: check the ldb_attr_list_copy_add() resultStefan Metzmacher2012-12-101-0/+12
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/dirsync: fix potential talloc hierachy problems (bug #9470)Stefan Metzmacher2012-12-101-3/+3
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/descriptor: fix replication of NC headsStefan Metzmacher2012-12-071-2/+2
| | | | | | | | | | | | The sub NC heads maybe replicated with the parent partition, if we don't need to recalculate the nTSecurityDescriptor attribute in that case, the replication of the of the sub partition should handle that. This fixes error messages like this: descriptor_sd_propagation_recursive: DC=ForestDnsZones,DC=s40dom,DC=base not found under DC=s40dom,DC=base Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/acl_read: improve debugging for fatal errorStefan Metzmacher2012-12-071-3/+18
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/acl_read: keep the ldb_message of the sub search (bug #9470)Stefan Metzmacher2012-12-071-0/+5
| | | | | | | Some modules might not allocate values on the correct memory context. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/schema_data.c: correctly move the CN=Aggregate attributes to ↵Stefan Metzmacher2012-12-071-6/+18
| | | | | | | | | msg->elements[i].values (bug #9470) We should keep the talloc hierarchy sane. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/schema: fix dsdb_schema_set_el_from_ldb_msg() (bug #9470)Stefan Metzmacher2012-12-071-7/+7
| | | | | | | We should always update the ts_last_change. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/password_hash: Honor password complexity settings.Stefan Metzmacher2012-12-061-1/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | Honor password complexity settings when creating new users. Without this patch, you could set simple passwords although the complexity settings were enabled. This was an issue with 'samba-tool user add' and also when adding new users via Windows' "Active Directory Users and Computers" MMC Snap-In. The following scenarios were tested successfully after applying the patch: -'samba-tool user add' against s4 -'samba-tool user add -H' against a Windows DC -Adding a new user on a s4 DC using Windows' "Active Directory Users and Computers" MMC Snap-In. Please note that this bug was caused by a mistake in the documentation. Fix bug #9414 - 'samba-tool user add' ignores password complexity settings. Pair-programmed-with: Karolin Seeger <kseeger@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Karolin Seeger <kseeger@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Dec 6 05:11:43 CET 2012 on sn-devel-104
* s4:dsdb/descriptor: NULL out user_descriptor elements depending on the sd_flagsStefan Metzmacher2012-12-021-0/+44
| | | | | | | | | | | | | A client can send a full security_descriptor while just passing sd_flags of SECINFO_DACL. We need to NULL out elements which will be ignored depending on the sd_flags and may set the old owner/group sids. Otherwise the calculation of the DACL/SACL can replace CREATOR_OWNER with the wrong sid. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/tests: add SdAutoInheritTestsStefan Metzmacher2012-11-301-1/+83
| | | | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Fri Nov 30 18:59:50 CET 2012 on sn-devel-104
* s4:dsdb/repl_meta_data: call dsdb_module_schedule_sd_propagation() for ↵Stefan Metzmacher2012-11-301-2/+70
| | | | | | | | | replicated changes We only do so if the replicated object is not deleted. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/descriptor: inherit nTSecurityDescriptor changes to children (bug #8621)Stefan Metzmacher2012-11-301-3/+17
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/descriptor: recalculate nTSecurityDescriptor after a rename (bug #8621)Stefan Metzmacher2012-11-301-1/+18
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/acl_util: add dsdb_module_schedule_sd_propagation()Stefan Metzmacher2012-11-301-0/+29
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/descriptor: implement DSDB_EXTENDED_SEC_DESC_PROPAGATION_OIDStefan Metzmacher2012-11-301-8/+395
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb: define DSDB_EXTENDED_SEC_DESC_PROPAGATION_OIDStefan Metzmacher2012-11-301-0/+12
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/descriptor: handle DSDB_CONTROL_SEC_DESC_PROPAGATION_OIDStefan Metzmacher2012-11-301-5/+67
| | | | | | | | This can only be triggered by ourself, that's why we expect control->data == module. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/schema_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modifyStefan Metzmacher2012-11-301-0/+16
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/repl_meta_data: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modifyStefan Metzmacher2012-11-301-0/+16
| | | | | | | | The propagation of nTSecurityDescriptor doesn't change the replProperyMetaData. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/objectclass_attrs: allow DSDB_CONTROL_SEC_DESC_PROPAGATION_OID on modifyStefan Metzmacher2012-11-301-0/+18
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb: define DSDB_CONTROL_SEC_DESC_PROPAGATION_OIDStefan Metzmacher2012-11-301-0/+7
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/subtree_delete: delete from the leafs to the root (bug #7711)Stefan Metzmacher2012-11-301-0/+19
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/subtree_delete: do the recursive delete AS_SYSTEM/TRUSTED (bug #7711)Stefan Metzmacher2012-11-301-3/+11
| | | | | | | | | | | Now that the acl module checks for SEC_ADS_DELETE_TREE, we can do the recursive delete AS_SYSTEM. We need to pass the TRUSTED flags as we operate from the TOP module. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/subtree_delete: do an early return and avoid some nestingStefan Metzmacher2012-11-301-24/+28
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/objectclass: do not pass the callers controls on helper searchesStefan Metzmacher2012-11-301-1/+1
| | | | | | | | | | We add AS_SYSTEM and SHOW_RECYCLED to the helper search, don't let the caller specify additional controls. This also fixes a problem when the caller also specified AS_SYSTEM. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/acl: require SEC_ADS_DELETE_TREE if the TREE_DELETE control is given ↵Stefan Metzmacher2012-11-301-0/+12
| | | | | | | (bug #7711) Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/dirsync: remove unused 'deletedattr' variableStefan Metzmacher2012-11-301-2/+0
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/common: add pekList and msDS-ExecuteScriptPassword to ↵Stefan Metzmacher2012-11-301-0/+2
| | | | | | | | | DSDB_SECRET_ATTRIBUTES_EX See [MS-ADTS] 3.1.1.4.4 Extended Access Checks. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s4:dsdb/acl: also add DSDB_SECRET_ATTRIBUTES into the password attributesStefan Metzmacher2012-11-301-5/+36
| | | | | | | The @KLUDGEACL record might not be uptodate. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
generated by cgit (git 2.34.1) at 2025-09-04 15:59:50 +0000