summaryrefslogtreecommitdiffstats
path: root/source4/rpc_server/drsuapi
Commit message (Collapse)AuthorAgeFilesLines
...
* s4:getncchanges_change_master - also in this call "i" needs to be unsignedMatthias Dieter Wallnöfer2010-09-101-1/+2
|
* s4-drs: return DRSUAPI_EXOP_ERR_SUCCESS in extended_retKamen Mazdrashki2010-09-101-0/+1
| | | | | | | | in case we are handling extended operation. It seems that windows accept both DRSUAPI_EXOP_ERR_SUCCESS and DRSUAPI_EXOP_ERR_NONE, but Samba is a little bit more picky on this.
* s4-drs: Hanlde extended operations only onceKamen Mazdrashki2010-09-101-40/+45
| | | | | | | | | Most of extended operations I know of work like: 1. do extended operation 2. collect a set of objects to return and start replication cycle 3. continue returning object as we have no more to give This way we ensure we are doing 1. only once
* s4-rpc: Added handling of fsmo role transfer to GetNCChangesNadezhda Ivanova2010-09-101-0/+108
| | | | | | This adds support for DRSUAPI_EXOP_FSMO_REQ_ROLE, DRSUAPI_EXOP_FSMO_RID_REQ_ROLE and DRSUAPI_EXOP_FSMO_REQ_PDC. Developed in collaboration with Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
* s4-drs: Dump exact error when failure occurs during DsReplicaUpdateRefs callKamen Mazdrashki2010-09-071-6/+10
|
* s4-drs: A quick fix for DRSUAPI_EXOP_FSMO_RID_ALLOC extended_op handlingKamen Mazdrashki2010-09-031-0/+9
| | | | | | | | | | | | When DRSUAPI_EXOP_FSMO_RID_ALLOC extended op is handled in DsGetNCChanges() stub, we need to returned a well know set of object - see: [ms-adts], 3.1.1.5.1.7 With this hack we are going to return just objects modified during RID allocation procedure - i.e. "RID Manager$", "RID Set" for computer object and computer object itself. Which is a close approximation of what we are expected to return.
* s4:getncchanges.c - fix some counter variable typesMatthias Dieter Wallnöfer2010-08-231-3/+3
| | | | | They should be "unsigned" since they count LDB objects. And also the SID array can be counted as "unsigned".
* s4-drs: show the user sid that does the GetNCChanges callAndrew Tridgell2010-08-231-2/+3
| | | | | | this is useful when debugging replication Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-drs: removed the warning on WRIT_REP being setAndrew Tridgell2010-08-231-4/+2
| | | | we just need to clear this flag
* s4:security Change struct security_token->sids from struct dom_sid * to ↵Andrew Bartlett2010-08-232-3/+3
| | | | | | | | | struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett
* s4-drs: fixed the error code for EXOP_REPL_SECRET getncchanges callsAndrew Tridgell2010-08-201-10/+8
| | | | | | | | when we deny a EXOP_REPL_SECRET call we should set the exop error code to NONE, and the main return code to WERR_DS_DRA_ACCESS_DENIED (based on observing windows server behaviour) Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-drs: bring us much closer to the docs for DRS secret replicationAndrew Tridgell2010-08-201-9/+241
| | | | | | | | | | | | | | | The rules for when a RODC can replicate secrets are: - it can always replicate its own acct - it can also replicate its krbtgt acct - it can't replicate other krbtgt accts - it can't replicate interdomain trust accounts - it can't replicate users in the denied group list - it can replicate users in the allowed group list otherwise it can't replicate Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-drs: implement RODC attribute filtering overrideAndrew Tridgell2010-08-201-24/+50
| | | | | | | | When a RODC uses extended getncchanges operation DRSUAPI_EXOP_REPL_SECRET it gets an override on the ability to replicate the secret attributes. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-drs: added sam_ctx_system on DRS bind stateAndrew Tridgell2010-08-202-0/+20
| | | | | | | | The getncchanges call needs to be able to access the sam as the system user for RODC clients. To do this it needs a sam_ctx connection with system credentials Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-drs: ATTIDs for deleted attributes should be based on msDs-IntId value if ↵Kamen Mazdrashki2010-08-191-1/+2
| | | | it exists
* s4-drs: GetNCChanges() to return correct (in AD-way) ATTIDsKamen Mazdrashki2010-08-191-3/+16
| | | | | | | | | | Depending on which NC is being replicated, GetNCChanges() returns either ATTID based on local prefixMap or msDs-IntId value of the attributeSchema class for the attribute being replicated. If set, msDs-IntId value is always returned when replicating object form NC other than Schema NC. Objects in Schema NC replica always use prefixMap based ATTIDs.
* s4:security Remove use of user_sid and group_sid from struct security_tokenAndrew Bartlett2010-08-182-3/+3
| | | | This makes the structure more like Samba3's NT_USER_TOKEN
* s4-drs: allow getncchanges from RODC with WRIT_REP setAndrew Tridgell2010-08-171-2/+2
| | | | | | | | w2k8r2 is setting this bit as a RODC. Instead of refusing the replication, we now remove the bit from req8, which means other places in the code that check this bit can stay the same Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-drs: added domain_sid to DRS security checksAndrew Tridgell2010-08-176-10/+14
| | | | | | | we need the domain_sid to determine if the account is a RODC for our domain Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell2010-07-164-8/+8
| | | | | | | this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4:drsuapi: don't return all linked attributes at the same timeStefan Metzmacher2010-07-091-8/+51
| | | | | | | | | | | | | Windows gives them in chunks, but I don't know the correct rule to calculate the chunk size. For now I'll use 1500 as the max size. Windows isn't happy when it gets ~ 100000 linked attributes in one response. It corrupts its directory index and later moves some objects to the LostAndFound folder. metze
* s4:drsuapi RPC server - "result_site_name" - fix variable denominationMatthias Dieter Wallnöfer2010-07-081-3/+3
|
* s4:dcesrv_drsuapi.c - fix a counter variableMatthias Dieter Wallnöfer2010-06-281-2/+1
|
* s4:rpc_server/drsuapi/drsutil.c - remove unreachable codeMatthias Dieter Wallnöfer2010-06-261-1/+0
|
* Finish removal of iconv_convenience in public API's.Jelmer Vernooij2010-05-181-2/+1
|
* s4/rodc: RODC FAS initial implementationAnatoliy Atanasov2010-04-291-11/+10
|
* s4/dsdb: dsdb_validate_invocation_id() should validate by objectGUIDKamen Mazdrashki2010-04-281-4/+4
| | | | | This function is used in DRSUpdateRefs() implementation where we get DSA's objectGUID rather than invocationId
* s4-getncchanges: honor DRSUAPI_DRS_REF_GCSPNAndrew Tridgell2010-04-271-1/+3
| | | | this is an alternative way of establishing repsTo
* s4-drs: don't send uninstantiated objects in getncchangesAndrew Tridgell2010-04-261-0/+5
| | | | | | This includes deleted partitions Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-drs: validate RODC credentials via the user_sidAndrew Tridgell2010-04-221-27/+12
| | | | | | | | This checks whether a replication client is a RODC by inclusion of the the DOMAIN_RID_ENTERPRISE_READONLY_DCS sid in the users token Pair-Programmed-With: Rusty Russell <rusty@samba.org> Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-drs: added new SECURITY_RO_DOMAIN_CONTROLLER levelAndrew Tridgell2010-04-225-14/+34
| | | | | | | | | | | This is used for allowing operations by RODCs, and denying them operations that should only be allowed for a full DC This required a new domain_sid argument to security_session_user_level() Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Rusty Russell <rusty@samba.org>
* s4-drs: only allow replication with the right invocationIdAndrew Tridgell2010-04-221-1/+20
| | | | | | | Non-administrator replication checks the invocationId matches the sid of the user token being used Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-drs: Do not send RODC filtered attributes to RODCs on GetNCChanges replyFernando J V da Silva2010-04-221-0/+14
| | | | | | | | During building an object to send it on a GetNCChanges reply, it checks the attributes and if any of them is a RODC filtered and the recipient is a RODC, then such attribute is not sent. Signed-off-by: Andrew Tridgell <tridge@samba.org>
* s4-drs: samdb_is_rodc() function and new samdb_rodc() functionFernando J V da Silva2010-04-221-1/+13
| | | | | | | | | | | This patch creates the samdb_is_rodc() function, which looks for the NTDSDSA object for a DC that has a specific invocationId and if msDS-isRODC is present on such object and it is TRUE, then consider the DC as a RODC. The new samdb_rodc() function uses the samdb_is_rodc() function for the local server. Signed-off-by: Andrew Tridgell <tridge@samba.org>
* Revert "s4:prefer "samdb_*_dn" basedn calls over the "ldb_get_*_dn" functions"Matthias Dieter Wallnöfer2010-04-131-2/+2
| | | | | We should use the "ldb_get_*_basedn" calls since they are available in the LDB library.
* s4/drs: drsuapi_DsAddEntry_ErrData propagate structure def in source codeKamen Mazdrashki2010-03-241-4/+4
|
* s4:dsdb Change dsdb_get_schema() callers to use new talloc argumentAndrew Bartlett2010-03-161-2/+2
| | | | | | | | This choses an appropriate talloc context to attach the schema too, long enough lived to ensure it does not go away before the operation compleates. Andrew Bartlett
* s4:rpc_server/drsuapi: don't reset [out,ref] pointer to NULL in ↵Stefan Metzmacher2010-03-111-1/+0
| | | | | | dcesrv_drsuapi_DsRemoveDSServer() metze
* s4/rpc_server Don't segfault over replPropertyMetaData contentsAndrew Bartlett2010-03-111-0/+7
| | | | | | | | The replPropertyMetaData may contain attrid values that we don't yet have in the local schema. We need to deal with this - it is a serious error, but we should not segfault. Andrew Bartlett
* s4:drsuapi RPC - Change also here counters to "unsigned"Matthias Dieter Wallnöfer2010-03-053-7/+8
| | | | No need to have "signed" counters at those places.
* s4/rodc: Implement samdb_rodc with ldb contextAnatoliy Atanasov2010-03-011-1/+1
|
* s4-dsdb: replace dsdb_modify_permissive() with dsdb_modify() and dsdb_flagsAndrew Tridgell2010-02-162-2/+4
|
* s4-drs: replace manual checks with dsdb_modify_permissive()Andrew Tridgell2010-02-151-32/+1
| | | | | Much simpler to use the permissive control instead of manually munging the SPN list.
* s4-drs: use a permissive modify in addentryAndrew Tridgell2010-02-151-1/+1
| | | | It is not an error if entries already exist.
* s4: use LDB_TYPESAFE_QSORT() instead of ldb_qsort()Andrew Tridgell2010-02-131-3/+2
|
* s4-rpcserver: use TYPESAFE_QSORT() in rpc serversAndrew Tridgell2010-02-131-14/+12
|
* s4/drs: propagate DRS_ extension flags in code baseKamen Mazdrashki2010-02-051-1/+1
|
* idl: switched to using the WSPP names for the 'neighbour' DRS optionsAndrew Tridgell2010-01-181-4/+4
| | | | | | | The documentation shows that all these functions in fact use the same flags variable type. To be consistent between functions, and to allow easy reference to the WSPP docs, it is better for us to also use this generic DrsOptions bitfield rather than one per operations.
* s4-drs: allow for security bypass for DsReplicaGetInfoAndrew Tridgell2010-01-171-5/+9
| | | | | Use --option=drs:disable_sec_check=true until the group membership bug with the PAC is fixed.
* s4-dsdb: take advantage of local cursor and sortAndrew Tridgell2010-01-161-34/+3
| | | | | in getncchanges and repl task we don't need the extra load and sort any more.
generated by cgit (git 2.34.1) at 2025-09-03 08:26:41 +0000