Stefan Metzmacher [Thu, 24 Sep 2009 04:45:10 +0000 (06:45 +0200)]
Revert "s3:winbindd: use a tcp connection for lsa in case lookup_names/lookup_sids doesn't work over ncacn_np"
This reverts commit
f23691cffd39e5df81b7b075e61ed1def6cce9f6.
This should not have been commited...
metze
Stefan Metzmacher [Thu, 24 Sep 2009 04:38:08 +0000 (06:38 +0200)]
s3:rpc_server: we need to make a copy of my_name in serverinfo_to_SamInfo_base()
This is important for the case the server_info already contains a logon_server.
metze
Günther Deschner [Thu, 17 Sep 2009 07:43:36 +0000 (09:43 +0200)]
s3:winbindd: use a tcp connection for lsa in case lookup_names/lookup_sids doesn't work over ncacn_np
metze
Anatoliy Atanasov [Wed, 23 Sep 2009 23:51:55 +0000 (16:51 -0700)]
s4: Handle DRSUAPI_DS_REPLICA_NEIGHBOUR_SPECIAL_SECRET_PROCESSING in getncchanges
When this flag is specified in the request these attributes are treated as
secret: currentValue, dBCSPwd, initialAuthIncoming, initialAuthOutgoing,
lmPwdHistory, ntPwdHistory, priorValue, supplementalCredentials,
trustAuthIncoming, trustAuthOutgoing, unicodePwd
Their value is changed to NULL and the meta_data.originating_change_time to 0
Anatoliy Atanasov [Wed, 23 Sep 2009 23:52:34 +0000 (16:52 -0700)]
s4: Handle DRSUAPI_DS_REPLICA_NEIGHBOUR_ASYNC_REP in getncchanges
When this flag is specified in the request we should return
for ncRoot only and so scope of search is LDB_SCOPE_BASE.
Anatoliy Atanasov [Wed, 23 Sep 2009 23:58:58 +0000 (16:58 -0700)]
s4: Handle DRSUAPI_DS_REPLICA_NEIGHBOUR_FULL_SYNC_PACKET in getncchanges
When this flag is specified in the request we shouldn't use the
uptodateness vector in the request.
Anatoliy Atanasov [Wed, 23 Sep 2009 22:48:10 +0000 (15:48 -0700)]
idl: regenerate idl
Anatoliy Atanasov [Wed, 23 Sep 2009 22:47:14 +0000 (15:47 -0700)]
s4: Handle DRSUAPI_DS_REPLICA_NEIGHBOUR_CRITICAL_ONLY req in getncchanges
Stefan Metzmacher [Fri, 8 Dec 2006 00:11:39 +0000 (00:11 +0000)]
Revert "r20074: this values seem to be typos in drsuapi"
This reverts commit
1dfd365d57dcd712d315a1a903c8d3d0a0f0fc12
This change was from and the flags I was seeing have another meaning.
metze
Signed-off-by: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
Andrew Bartlett [Tue, 1 Sep 2009 09:56:56 +0000 (19:56 +1000)]
s4:ldif_handlers Fix memory leak in objectCategory LDIF handler
Andrew Tridgell [Wed, 23 Sep 2009 20:56:10 +0000 (13:56 -0700)]
s4-drs: fill in more guids and SIDs, plus filter rDN
In DsGetNCChanges we need to fill in the parentGUID and objectGUID of
each object, plus we need to filter out the rDN from the meta data,
and always send the instanceType
Andrew Tridgell [Wed, 23 Sep 2009 20:54:47 +0000 (13:54 -0700)]
s4-dsdb: cope with windows sending extra pad bytes
Andrew Tridgell [Wed, 23 Sep 2009 20:52:39 +0000 (13:52 -0700)]
s4-dsdb: added dsdb_find_sid_by_dn()
Andrew Tridgell [Wed, 23 Sep 2009 03:57:18 +0000 (20:57 -0700)]
s4-drsserver: fixed addition of sort control
Andrew Tridgell [Wed, 23 Sep 2009 03:56:54 +0000 (20:56 -0700)]
fixed spelling
Andrew Tridgell [Wed, 23 Sep 2009 03:56:32 +0000 (20:56 -0700)]
s4-drs: ignore zero value elements in DRS add operations
w2k8 sometimes sends us a new object via DRS with an attribute with no
values
Andrew Tridgell [Mon, 21 Sep 2009 23:30:31 +0000 (16:30 -0700)]
s4-netlogon: always set the dNSHostName in GetDomainInfo
This seems to be what w2k8 does
Andrew Tridgell [Mon, 21 Sep 2009 17:45:14 +0000 (10:45 -0700)]
regenerate IDL
Andrew Tridgell [Mon, 21 Sep 2009 17:42:42 +0000 (10:42 -0700)]
s4-netlogon: make GetDomainInfo response match w2k8
Andrew Tridgell [Mon, 21 Sep 2009 17:41:06 +0000 (10:41 -0700)]
s4-cldap: return domainFunctionality from SAM
Andrew Tridgell [Mon, 21 Sep 2009 17:38:40 +0000 (10:38 -0700)]
idl: fixed string termination for netlogon GetDomainInfo
Andrew Tridgell [Mon, 21 Sep 2009 17:38:09 +0000 (10:38 -0700)]
s4-nbt: added NBT_SERVER_DNS_FOREST
Volker Lendecke [Wed, 23 Sep 2009 13:47:05 +0000 (15:47 +0200)]
s3:gencache: Make gencache_del() return success for expired entries
This fixes nasty error messages from "net cache flush"
Volker Lendecke [Wed, 23 Sep 2009 13:41:06 +0000 (15:41 +0200)]
s3:gencache: Remove some over-paranoid locking
Volker Lendecke [Wed, 23 Sep 2009 13:21:40 +0000 (15:21 +0200)]
s3:gencache: Add a "was_expired" argument to gencache_get_data_blob
This is set to true if the routine returns failure due to an existing but
expired entry.
Jelmer Vernooij [Wed, 23 Sep 2009 12:22:36 +0000 (14:22 +0200)]
Check for PyString_FromString being NULL.
Jelmer Vernooij [Wed, 23 Sep 2009 09:01:52 +0000 (11:01 +0200)]
provision: Avoid linking in multiple copies of security python module.
Volker Lendecke [Wed, 23 Sep 2009 04:23:50 +0000 (06:23 +0200)]
s3:winbind: Fix an uninitialized variable
Andrew Tridgell [Wed, 23 Sep 2009 00:07:33 +0000 (17:07 -0700)]
s4-drsserver: sort by DN to give tree order
This might help the windows client with ordered requests. Later we
need to support the "ancestors" mode flag.
Andrew Tridgell [Wed, 23 Sep 2009 00:06:38 +0000 (17:06 -0700)]
s4-ldb: server side sort args are const char *
Andrew Tridgell [Wed, 23 Sep 2009 00:06:14 +0000 (17:06 -0700)]
s4-ldb: fixed call argument order for ldb_dn_from_ldb_val
This caused _lots_ of problems, especially in server side sort
Andrew Tridgell [Tue, 22 Sep 2009 21:26:59 +0000 (14:26 -0700)]
s4-ldb: added a bunch more debug for DC join
These additional debug messages were added to help us track down
w2k8->s4 domain join
Andrew Tridgell [Tue, 22 Sep 2009 21:25:52 +0000 (14:25 -0700)]
s4-ldb: when tracing, show ldb_set_debug messages
Andrew Tridgell [Tue, 22 Sep 2009 21:25:12 +0000 (14:25 -0700)]
s4-ldbmodules: allow instanceType to be specified by clients
This is needed for the WSPP ADS testsuite
Andrew Tridgell [Tue, 22 Sep 2009 21:20:36 +0000 (14:20 -0700)]
s4-util: windows only accepts lowercase hex encodings for extended DNs
Andrew Tridgell [Tue, 22 Sep 2009 07:18:25 +0000 (00:18 -0700)]
s4-torture: add some debug info to RPC-HANDLES
Andrew Tridgell [Tue, 22 Sep 2009 07:18:03 +0000 (00:18 -0700)]
s4-rpcserver: added support for shared handles
This supports shared RPC handles across connections on all RPC
interfaces.
It turns out that w2k3 and w2k8 don't actually support this on all
pipes. We need to test which pipes we should enable this on.
Andrew Tridgell [Tue, 22 Sep 2009 07:16:58 +0000 (00:16 -0700)]
s4-lsa: added support for QuerySecurity on LSA
This follows the sd pattern from samba3
Andrew Tridgell [Tue, 22 Sep 2009 04:36:54 +0000 (21:36 -0700)]
s4-rpcserver: added shared association groups
This patch allows us to share association groups and their rpc handles
between connections. This is needed for some DRSUAPI behaviour when
recent windows clients connect.
Andrew Tridgell [Tue, 22 Sep 2009 02:57:27 +0000 (19:57 -0700)]
s4-rpcserver: run all RPC operations in a single task
This will make it much easier to implement shared handles with
association groups. It also means we can shared the ldb between RPC
connections.
Andrew Tridgell [Tue, 22 Sep 2009 02:56:36 +0000 (19:56 -0700)]
s4-rpc: remove two unused functions
Andrew Tridgell [Tue, 22 Sep 2009 01:15:19 +0000 (18:15 -0700)]
s4-ldb: only show the outer level of ldb ops when tracing
Andrew Tridgell [Tue, 22 Sep 2009 00:52:21 +0000 (17:52 -0700)]
s4-ldb: don't show timestamps on every line of ldb traces
This adds ldb_debug_add() and ldb_debug_end() to format multiline
messages
Michael Adam [Tue, 22 Sep 2009 22:52:03 +0000 (00:52 +0200)]
build: use AS_HELP_STRING() for --with-localedir
Michael
Michael Adam [Tue, 22 Sep 2009 22:48:44 +0000 (00:48 +0200)]
build: add switch "--with-codepagedir=DIR" to configure.
This is to address bug #6444.
Michael
Michael Adam [Tue, 22 Sep 2009 21:23:02 +0000 (23:23 +0200)]
build: add datadir to "make showlayout"
Michael
Anatoliy Atanasov [Tue, 22 Sep 2009 21:37:58 +0000 (14:37 -0700)]
Move the check above the talloc
Günther Deschner [Thu, 17 Sep 2009 07:43:36 +0000 (09:43 +0200)]
s3-winbindd: Fix Bug #6711: trusts to windows 2008 (2008 r2) not working.
Winbindd should always try to use LSA via an schannel authenticated ncacn_ip_tcp
connection when talking to AD for LSA lookup calls.
In Samba <-> W2k8 interdomain trust scenarios, LookupSids3 and LookupNames4 via an
schannel ncacn_ip_tcp LSA connection are the *only* options to successfully resolve
sids and names.
Guenther
Günther Deschner [Sat, 12 Sep 2009 21:30:39 +0000 (23:30 +0200)]
s3-winbindd: add cm_connect_lsa_tcp().
Guenther
Rusty Russell [Tue, 22 Sep 2009 01:02:10 +0000 (10:32 +0930)]
lib/tevent: a cleaner fix for
be4ac227842530d484659f2db683453366326d8b segv
Revert
23abcd2318c69753aa2a144e1dc0f9cf9efdb705 and fix logic bug.
The current code loops through the event contexts, when it sees a different
one, it notifies the current one (ev) and updates ev to point to the new one.
This is dumb, because:
(1) ev starts as NULL, so this code crashes, and
(2) The final context will not be notified.
The correct fix for this is to update ev to the new one, then notify it.
Volker's fix works because we currently always have one event context.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Nadezhda Ivanova [Tue, 22 Sep 2009 03:08:52 +0000 (20:08 -0700)]
s4:dsdb Fix of double addition of SD-s
Also add error strings in descriptor module
Andrew Bartlett [Tue, 22 Sep 2009 02:26:59 +0000 (19:26 -0700)]
s4:ldb Add 'single-value' support to LDB.
This is currently only triggered via Samba4's schema code.
Nadezhda Ivanova [Tue, 22 Sep 2009 00:29:28 +0000 (17:29 -0700)]
Merge branch 'master' of git://git.samba.org/samba
Nadezhda Ivanova [Tue, 22 Sep 2009 00:27:50 +0000 (17:27 -0700)]
Initial Implementation of the DS objects access checks.
Currently disabled. The search will be greatly modified,
also the object tree stuff will be simplified.
Anatoliy Atanasov [Tue, 22 Sep 2009 00:14:06 +0000 (17:14 -0700)]
Add support in the ldb_dn.c code for MS-ADTS:3.1.1.5.1.2 Naming Constraints
Anatoliy Atanasov [Tue, 22 Sep 2009 00:01:20 +0000 (17:01 -0700)]
Add tests for MS-ADTS:3.1.1.5.1.2 Naming Constraints
Andrew Bartlett [Mon, 21 Sep 2009 23:31:08 +0000 (16:31 -0700)]
s4:dsdb Run the new 'descriptor' module by default.
This code was derived from the objectclass module, and we need the new
code in the default provision, or else no ACL is set on each object.
Andrew Bartlett
Andrew Tridgell [Mon, 21 Sep 2009 23:29:44 +0000 (16:29 -0700)]
s4-ldb: bit prettier output
Andrew Tridgell [Mon, 21 Sep 2009 23:29:22 +0000 (16:29 -0700)]
s4-ldb: fixed O(n^2) string handling in ldif debug print
Andrew Tridgell [Mon, 21 Sep 2009 22:25:10 +0000 (15:25 -0700)]
s4-samdb: enable ldb tracing when log level >= 10
Andrew Tridgell [Mon, 21 Sep 2009 22:24:55 +0000 (15:24 -0700)]
s4-schema: don't trace the schema load (too verbose)
Andrew Tridgell [Mon, 21 Sep 2009 22:24:39 +0000 (15:24 -0700)]
s4-ldb: add --trace command line option to ldb tools
This enabled LDB_FLG_ENABLE_TRACING
Andrew Tridgell [Mon, 21 Sep 2009 22:24:14 +0000 (15:24 -0700)]
s4-ldb: add a LDB_FLG_ENABLE_TRACING for full ldb tracing
When LDB_FLG_ENABLE_TRACING is set ldb will send full traces
of all operations and results
Andrew Tridgell [Mon, 21 Sep 2009 01:58:18 +0000 (18:58 -0700)]
s4-ldap: default edn type is 0
Andrew Tridgell [Mon, 21 Sep 2009 01:24:23 +0000 (18:24 -0700)]
s4-ldb: add support for extended DNs in the rootDSE
W2K8 join as a DC relies on being able to ask for the sid component of
extended DNs from the rootDSE DNs
Andrew Tridgell [Sun, 20 Sep 2009 22:45:53 +0000 (15:45 -0700)]
s4-dsdb: fixed a printf format warning
Nadezhda Ivanova [Mon, 21 Sep 2009 21:26:15 +0000 (14:26 -0700)]
Merge branch 'master' of git://git.samba.org/samba
Andrew Bartlett [Mon, 21 Sep 2009 19:28:38 +0000 (12:28 -0700)]
s4:kerberos Fix the salt to match Windows 2008.
The previous commit changed the wrong end - we must fix our server,
not our client.
Andrew Bartlett
Andrew Bartlett [Mon, 21 Sep 2009 18:59:33 +0000 (11:59 -0700)]
s4:provision Make our default salt match our server behaviour
We need to look into salting algorithms further.
Andrew Bartlett
Michael Adam [Sun, 20 Sep 2009 22:08:34 +0000 (00:08 +0200)]
tdb:tdbtool: fix indentation.
Michael
Michael Adam [Sun, 20 Sep 2009 21:58:27 +0000 (23:58 +0200)]
tdb:tdbtool: add transaction_start/_commit/_cancel commands.
So one can perform tdbtool operations protected by transactions.
Michael
Michael Adam [Sun, 20 Sep 2009 21:58:05 +0000 (23:58 +0200)]
tdb:tdbtool: add the "speed" command to the help text.
Michael
Matthias Dieter Wallnöfer [Mon, 21 Sep 2009 15:20:49 +0000 (17:20 +0200)]
s4:provision - Fix up ProvisioningError class as suggested by Jelmer
Matthias Dieter Wallnöfer [Mon, 21 Sep 2009 11:53:47 +0000 (13:53 +0200)]
s4:samdb/tools - That should fix now the last failures
Matthias Dieter Wallnöfer [Mon, 21 Sep 2009 09:59:07 +0000 (11:59 +0200)]
s4:libnet_become_dc - bump down the level requested by abartlet
Matthias Dieter Wallnöfer [Mon, 21 Sep 2009 09:53:19 +0000 (11:53 +0200)]
s4:scripts - Reintroduce "-H" parameter
I removed it since on some scripts it was present, on others not - so I thought
it wouldn't be really needed. This was a bad decision (pointed out by abartlet).
So I reintroduce it on all scripts (to have consistent parameters).
Matthias Dieter Wallnöfer [Mon, 21 Sep 2009 09:33:13 +0000 (11:33 +0200)]
Revert "blackbox:test_kinit - Remove the "-H" (hive) parameter"
This reverts commit
d4389a230b6aea5a0b2a98e255b14a59c8248b0b.
This revert changed the behaviour which I didn't expect. Thanks abartlet to
point this out!
Andrew Bartlett [Mon, 21 Sep 2009 04:32:16 +0000 (21:32 -0700)]
s4:provision Make us Windows 2008 level by defualt again
Also add a note to clarify that this should not be changed without
discussion and consensus. We don't want this bouncing around.
Paramater support to allow optional selection of Win2003 mode welcomed.
Andrew Bartlett
Stefan Metzmacher [Mon, 21 Sep 2009 04:26:30 +0000 (06:26 +0200)]
s3:secrets_schannel: revert to using version 1
It doesn't really matter if the entries
have invalid context in it. Older versions of samba
refuse to open the file if the version doesn't match.
If we can't parse individual records, we'll fail schannel binds,
but the clients are supposed to reestablish the netlogon secure channel
by doing ServerReqChallenge/ServerAuthenticate* again. This
will just overwrite the old record.
metze
Stefan Metzmacher [Mon, 21 Sep 2009 00:42:35 +0000 (02:42 +0200)]
s3:winbindd: avoid writing to a closed connection and generate SIGPIPE
metze
Stefan Metzmacher [Mon, 21 Sep 2009 00:36:06 +0000 (02:36 +0200)]
async_sock: return -1/EPIPE if we're getting an end of file on read.
This makes the error handling in the callers easier.
metze
Stefan Metzmacher [Sun, 20 Sep 2009 21:29:34 +0000 (23:29 +0200)]
s3:lib/select: don't overwrite errno in the signal handler
metze
Stefan Metzmacher [Mon, 21 Sep 2009 01:16:18 +0000 (03:16 +0200)]
tevent: make sure we don't set errno within the signal handler function.
metze
Stefan Metzmacher [Mon, 21 Sep 2009 03:15:59 +0000 (05:15 +0200)]
s4:dsdb/resolve_oids: add fast pathes for the common operations without oids
metze
Stefan Metzmacher [Mon, 21 Sep 2009 03:15:38 +0000 (05:15 +0200)]
s4:dsdb/resolve_oids: check return values in recursion
metze
Andrew Bartlett [Mon, 21 Sep 2009 03:28:42 +0000 (20:28 -0700)]
s4:py_security Add missing header
Nadezhda Ivanova [Mon, 21 Sep 2009 00:43:46 +0000 (17:43 -0700)]
Merge branch 'master' of git://git.samba.org/samba
Andrew Bartlett [Sun, 20 Sep 2009 23:27:24 +0000 (16:27 -0700)]
s4:provision Use code to store domain join in 'net join' as well
This ensures we only have one codepath to store the secret, and
therefore that we have a single choke point for setting the
saltPrincipal, which we were previously skipping.
Andrew Bartlett
Andrew Bartlett [Sun, 20 Sep 2009 22:38:29 +0000 (15:38 -0700)]
s4:ldb print out which LDB the transaction is still active on.
Andrew Bartlett [Sun, 20 Sep 2009 03:40:17 +0000 (20:40 -0700)]
s4:provision split provision of DNS zone and self join keytab
Andrew Tridgell [Sun, 20 Sep 2009 22:27:09 +0000 (15:27 -0700)]
s4-selftest: disable RAP-SCAN test
also pointless now we have docs
Andrew Tridgell [Sun, 20 Sep 2009 22:23:34 +0000 (15:23 -0700)]
s4-selftest: disable RPC-COUNTCALLS
The RPC-COUNTCALLS was useful when we were working out IDL by hand
Nadezhda Ivanova [Sun, 20 Sep 2009 20:50:34 +0000 (13:50 -0700)]
Initial implementation of security descriptor creation in DS
TODO's:
ACE sorting and clarifying the inheritance of object specific ace's.
Matthias Dieter Wallnöfer [Sun, 20 Sep 2009 22:03:42 +0000 (00:03 +0200)]
Merge branch 'master' of git://git.samba.org/samba
Matthias Dieter Wallnöfer [Sun, 20 Sep 2009 21:49:05 +0000 (23:49 +0200)]
s4:python tools - try to fix some test problems
Matthias Dieter Wallnöfer [Sun, 20 Sep 2009 21:27:47 +0000 (23:27 +0200)]
s4:samba3sam.py test - remove the primary group ID attribute here
This shouldn't be specified on creation time (Windows Server doesn't allow that).
Hope this also fixes the test (see buildfarm).
Matthias Dieter Wallnöfer [Sun, 20 Sep 2009 21:16:04 +0000 (23:16 +0200)]
s4:sec_descriptor - fix constant
Matthias Dieter Wallnöfer [Sun, 20 Sep 2009 21:07:22 +0000 (23:07 +0200)]
blackbox:test_kinit - Remove the "-H" (hive) parameter
The "enableaccount" script works only on local LDB anymore - therefore remove
this parameter.
Nadezhda Ivanova [Sun, 20 Sep 2009 04:45:07 +0000 (21:45 -0700)]
Disable descriptor module unless enabled in smb.conf
Since this code may still have some problems, it is not executed by default.
To enable descriptor inheritance add:
acl:inheritance = true
in your smb.conf
Matthias Dieter Wallnöfer [Sun, 20 Sep 2009 20:49:55 +0000 (22:49 +0200)]
s4:dsdb/common/util - Check for the right forest/domain function level
This adds a function which performs the check for the supported forest and
domain function levels. On an unsuccessful result a textual error message can
be created (parameter "errmsg" != NULL) which gives hints for the user to help
him fixing the issue.