summaryrefslogtreecommitdiff
path: root/source4/dsdb
Commit message (Collapse)AuthorAgeFilesLines
* repl_meta_data: Correctly use msDS-IntId for custom schema, not the ↵Andrew Bartlett2016-03-152-14/+72
| | | | | | | | | | | | | | | | prefixMap value We must, when dealing with custom schema, respect the msDC-IntId value recorded in the schema. If we do not, then we will create multiple replPropertyMetaData records for the one attribute. This may cause confusion during replication. This fixes the issue by always calling dsdb_attribute_get_attid() to obtain the correct local (32 bit integer) attribute ID Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11443 (cherry picked from commit ecf0dd49e07e2c7fad5adf0a82abbc3e301a4e5a)
* pydsdb: Fix returning of ldb.MessageElement.Andrew Bartlett2016-03-151-6/+43
| | | | | | | | | | | | This object is not based on pytalloc_Object and so this causes a segfault (later a failure) when the struct definitions diverge. We must also not reuse the incoming ldb_message_element as a talloc context and overwrite the values, instead we should create a new object and return that. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> (cherry picked from commit b96b1e88f760c92c7d9bb7e732f72d7e73a68907)
* dsdb/repl: Ensure we use the LOCAL attid value, not the remote oneAndrew Bartlett2016-03-142-5/+25
| | | | | | | | | | | | | | | | | | The key here is that while this never was an issue for builtin schema, nor for objects with an msDS-IntID used outside the schema partition, additional attributes added and used in the schema partition were incorrectly using the wrong attributeID value in the replPropertyMetaData. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11783 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Sun Mar 13 23:29:14 CET 2016 on sn-devel-144 (cherry picked from commit 6ecfc4cb254f9b2524ec5619ed8cee9db5d959b2)
* dlist: remove unneeded type argument from DLIST_ADD_END()Michael Adam2016-03-0411-16/+16
| | | | | | Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 476672b647e44898a6de8894b23e598ad13b1fcf)
* build: fix ldbsearch panic on FC22Uri Simchoni2016-01-231-1/+1
| | | | | | | | | | | | | add dependency that fixes ldbsearch panic due to conflict - function read_data() is implemented both by libtspi.so.1, which is a dependency of gnutls on FC22, and by an internal samba shared lib. Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Uri Simchoni <uri@samba.org> Autobuild-Date(master): Sat Jan 23 00:06:59 CET 2016 on sn-devel-144
* ldb-samba: Reenable recursive searchAdrian Cochrane2016-01-181-1/+3
| | | | | | | | | | | | In order for the recursive search module to work, we first must stop asserting that any extended match rule is a DN (to be modified per the extended DN munging), as this is not the case for this particular rule. This reverts commit 8cacd5b8113fa30fb4ccaaf3193839660feb285f. Signed-off-by: Adrian Cochrane <adrianc@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4:acl LDB module - fix error messageMatthias Dieter Wallnöfer2016-01-141-1/+1
| | | | | | | | Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Jan 14 04:54:26 CET 2016 on sn-devel-144
* Rename 'errors' to 'samba-errors' and make it public.Jelmer Vernooij2016-01-131-2/+2
| | | | | | | | | | | This is necessary because it has public headers. Signed-off-by: Jelmer Vernooij <jelmer@jelmer.uk> Reviewed-By: Andrew Bartlett <abartlet@samba.org> Reviewed-By: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org> Autobuild-Date(master): Wed Jan 13 07:47:04 CET 2016 on sn-devel-144
* Avoid including libds/common/roles.h in public loadparm.h header.Jelmer Vernooij2016-01-133-0/+3
| | | | | | Signed-Off-By: Jelmer Vernooij <jelmer@samba.org> Reviewed-By: Andrew Bartlett <abartlet@samba.org> Reviewed-By: Stefan Metzmacher <metze@samba.org>
* samdb: Add explicit dependency on ldb.Jelmer Vernooij2016-01-131-1/+1
| | | | | | This is needed to pull in the right -I flags. Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
* Use full path to dlinklist.h in includes.Jelmer Vernooij2016-01-131-1/+1
| | | | Signed-off-by: Jelmer Vernooij <jelmer@jelmer.uk>
* samdb: Fix CID 1347320 Dereference null return valueVolker Lendecke2016-01-081-0/+6
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* python: Remove Python 2.4 support macrosAndrew Bartlett2016-01-071-7/+0
| | | | | | | We require Python 2.6 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
* dsdb subnets: warn when an IPv6 address is in IPv4 embedding rangeDouglas Bagnall2015-12-242-0/+43
| | | | | | | | | | | | | | We fail on these ones, and it isn't immediately obvious why. Windows also fails on *most* of them, but succeeds on "::ffff:0:0" which is a bit strange but there you go. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Dec 24 07:16:25 CET 2015 on sn-devel-144
* samldb: ensure subnets have proper net rangesDouglas Bagnall2015-12-242-0/+556
| | | | | | | | | | | | | | | | | | | | | | | | | | | | A subnet name needs to be a valid CIDR address range -- that's the ones that look like 10.9.8.0/22, where the number after the / determines how many bits are in the address suffix. It can be IPv4 or IPv6. There are a few odd constraints (see MS-ADTS v20150630 6.1.1.2.2.2.1 "Subnet Object") -- for example, with IPv4, the implied bit mask can't equal the address. That is, you can't have a subnet named "255.255.255.0/24" in a Windows subnet. This rule does not apply to IPv6. Windows and Samba both make some ensure that subnets have a unique valid name, though unfortunately Windows 2008R2 is rather slack when it comes to IPv6. We follow Windows 2012R2, which roughly follows RFC5952 -- with one caveat: Windows will allow an address like "::ffff:0:1:2", which translates to the IPv4 address "0.1.0.2" using the SIIT translation scheme, and which inet_ntop() would render as "::ffff:0:0.1.0.2". In the Samba implementation we use an inet_pton()/ inet_ntop() round-trip to establish canonicality, so these addresses fail. Windows wisely does not allow the SIIT style addresses (the acronym is widely agreed to be off-by-one in the second letter), and it will regard "::ffff:0:1:2" as simply "::ffff:0:1:2" and allow it. We would like to do that too. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba-tool: add sites subnet subcommandsDouglas Bagnall2015-12-241-0/+76
| | | | | | | | | This allows you to add, remove, or shift subnets. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* python.sites tests: remove excessive transaction managementDouglas Bagnall2015-12-241-4/+0
| | | | | | | | These are atomic anyway. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* selftest: Allow sites test to run against a remote ldap:// hostAndrew Bartlett2015-12-241-4/+1
| | | | | | | The previous code was just broken Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* dsdb.tests.sites: don't use global database, tidy long linesDouglas Bagnall2015-12-241-22/+23
| | | | | | Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dsdb.tests.sites: merge interdependent testsDouglas Bagnall2015-12-241-5/+2
| | | | | | | | | | | | | The delete test deleted the site made by the create test, which worked because "delete" sorts after "create" alphabetically. By themselves, "delete" would fail and "create" would neglect its duty to clean up. This would be an issue if the order of tests changes, if one of the tests is not run, or if another test appears in between. Everything is fine if they give up the pretense of independence. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* repl: Skip new subdomains and partitions when replicatingAndrew Bartlett2015-12-241-6/+43
| | | | | | | | | | These will need to be handled later, but probably via reading the cross-ref objects. This avoids total failure when cloning a DC that has subdomains. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* CVE-2015-8467: samdb: Match MS15-096 behaviour for userAccountControlAndrew Bartlett2015-12-162-11/+76
| | | | | | | | | | | | | Swapping between account types is now restricted Bug: https://bugzilla.samba.org/show_bug.cgi?id=11552 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Dec 16 16:03:18 CET 2015 on sn-devel-104
* password_lockout: test creds.get_kerberos_state()Douglas Bagnall2015-12-151-0/+1
| | | | | | | | | Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Garming Sam <garming@samba.org> Autobuild-Date(master): Tue Dec 15 03:17:52 CET 2015 on sn-devel-104
* auth: keep track of lastLogon and lastLogonTimestampDouglas Bagnall2015-12-151-41/+295
| | | | | | | | | | | | | | | | | | | | | | | | | | lastLogon is supposed to be updated for every interactive or kerberos login, and (according to testing against Windows2012r2) when the bad password count is non-zero but the lockout time is zero. It is not replicated. lastLogonTimestamp is updated if the old value is more than 14 - random.choice([0, 1, 2, 3, 4, 5]) days old, and it is replicated. The 14 in this calculation is the default, stored as "msDS-LogonTimeSyncInterval", which we offer no interface for changing. The authsam_zero_bad_pwd_count() function is a convenient place to update these values, as it is called upon a successful logon however that logon is performed. That makes the function's name inaccurate, so we rename it authsam_logon_success_accounting(). It also needs to be told whet5her the login is interactive. The password_lockout tests are extended to test lastLogon and lasLogonTimestamp. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Ralph Boehme <slow@samba.org>
* password_lockout tests: add assertLoginFailure()Douglas Bagnall2015-12-151-10/+12
| | | | | | | | | | | | In a few places where a login should fail in a particular way, an actual login success would not have triggered a test failure -- only the wrong kind of login failure was caught. This makes a helper function to deal with them all. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Ralph Boehme <slow@samba.org>
* Fix various spelling errorsMathieu Parent2015-11-063-4/+4
| | | | | | | | Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Nov 6 13:43:45 CET 2015 on sn-devel-104
* pydsdb: Also accept ldb.MessageElement values to dsdb routinesAndrew Bartlett2015-10-261-52/+61
| | | | | | | | | | This shows the correct way to accept a value that may be a list of strings or a proper ldb.MessageElement. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* repl: Give an error if we get a secret when not expecting oneAndrew Bartlett2015-10-263-3/+24
| | | | | | | | | We should never get a secret from a server when we specify DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING This asserts that this is the case. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* repl_meta_data: Print more detail into the LDB error string, not just DEBUG()Andrew Bartlett2015-10-261-17/+49
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* dsdb: Add functional levels for 2012 and 2012R2Andrew Bartlett2015-10-201-0/+2
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* dsdb: Fix a confusing parameterVolker Lendecke2015-09-081-1/+1
| | | | | | | | | LDB_SCOPE_BASE is 0, so this works, but the corresponding parameter is "struct ldb_control **controls", so I'd say NULL is more appropriate here. Fixes a warning I just saw pass by. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* samdb: Fix CID 1034736 Dereference after null checkVolker Lendecke2015-09-081-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* lib: Convert callers of sid_blob_parse to sid_parseVolker Lendecke2015-08-261-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* dbcheck: Add explict tests for unknown and unsorted attributeID valuesAndrew Bartlett2015-08-242-9/+28
| | | | | | | | | | | | | | | | | | | | Unknown attributeID values would cause an exception previously, and unsorted attributes cause a failure to replicate with Samba 4.2. In commit 61b978872fe86906611f64430b2608f5e7ea7ad8 we started to sort these values correctly, but previous versions of Samba did not sort them correctly (we sorted high-bit-set values as negative), and then after 9c9df40220234cba973e84b4985d90da1334a1d1 we stoped accepting these. To ensure we are allowed to make this unusual change to the replPropertyMetaData, a new OID is allocated and checked for in repl_meta_data.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=10973 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* pydsdb: Allow the full range of uint32_t values for attributeIDAndrew Bartlett2015-08-241-2/+2
| | | | | | | | | The high bit may be set in these integers, so we need an unsigned int to store it in BUG: https://bugzilla.samba.org/show_bug.cgi?id=11429 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* Revert "dsdb: Only parse SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL as a DN"Andrew Bartlett2015-08-171-3/+1
| | | | | | | | | This reverts commit 1a012d591bca727b5cabacf6455d2009afb16bd7. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10493 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Disable tombstone_reanimation module until we isolate what causes ↵Kamen Mazdrashki2015-07-202-1/+8
| | | | | | | | flaky tests Change-Id: I323a2cd5eb2449a44a9cb53abab5a127d21c5967 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4-samdb: Correctly cast data pointerAndreas Schneider2015-07-171-1/+1
| | | | | | | This fixes a signedness warning. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* CID 1311772: Fix null pointer checkAndreas Schneider2015-07-151-1/+1
| | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Jul 15 04:50:36 CEST 2015 on sn-devel-104
* CID 1311771: Fix a null pointer dereferenceAndreas Schneider2015-07-151-1/+1
| | | | | | | We check for dir == NULL but dereference it during variable declaration. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* CID 1311767: Cast enum type to avoid compiler warningsAndreas Schneider2015-07-151-1/+1
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* CID 1311764: Fix logical compare in if clauseAndreas Schneider2015-07-151-2/+2
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4:dsdb/common: add dsdb_trust_merge_forest_info() helper functionStefan Metzmacher2015-07-081-0/+418
| | | | | | | | | | | This is used to merge the netr_GetForestTrustInformation() result with the existing information in msDS-TrustForestTrustInfo. New top level names are added with LSA_TLN_DISABLED_NEW while all others keep their flags. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/common: dsdb_trust_normalize_forest_info_step[1,2]() and ↵Stefan Metzmacher2015-07-081-0/+752
| | | | | | | | | | | | | | | | | | | | dsdb_trust_verify_forest_info() These will be used in dcesrv_lsa_lsaRSetForestTrustInformation() in the following order: - dsdb_trust_normalize_forest_info_step1() verifies the input forest_trust_information and does some basic normalization. - the output of step1 is used in dsdb_trust_verify_forest_info() to verify overall view of trusts and forests, this may generate collision records and marks records as conflicting. - dsdb_trust_normalize_forest_info_step2() prepares the records to be stored in the msDS-TrustForestTrustInfo attribute. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/common: add dsdb_trust_xref_tdo_info() helper functionStefan Metzmacher2015-07-081-0/+20
| | | | | | | This emulates a lsa_TrustDomainInfoInfoEx struct for our own domain. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/common: add dsdb_trust_forest_info_from_lsa() helper functionStefan Metzmacher2015-07-081-0/+103
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/common: add dsdb_trust_get_incoming_passwords() helper functionStefan Metzmacher2015-07-081-0/+116
| | | | | | | | This extracts the current and previous nt hashes from trustAuthIncoming as the passed TDO ldb_message. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/password_hash: reject interdomain trust password changes via LDAPStefan Metzmacher2015-07-081-0/+16
| | | | | | | | | Only the LSA and NETLOGON server should be able to change this, otherwise the incoming passwords in the trust account and trusted domain object get out of sync. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/common: supported trusted domains in samdb_set_password_sid()Stefan Metzmacher2015-07-081-8/+362
| | | | | | | We also need to update trustAuthIncoming of the trustedDomain object. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/common: make use of dsdb_search_one() in samdb_set_password_sid()Stefan Metzmacher2015-07-081-12/+21
| | | | | | | This will simplify the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
View Lorry Controller Status