dsdb/modules: minor comment typos in samba_dsdb Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
paged results: new paged results module using GUID list Replacing paged results module to use GUID list instead of storing result list in memory, in order to improve memory performance. Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
dsdb: Remove readOnlySchema concept from Samba This is a hold-over from the LDAP backend project, which has not yet been revived. There will be bigger issues than what to do if the schema changes if this ever comes back and our schema code is way to complex at the moment. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
dsdb: Audit group membership changes Log details of Group membership changes and User Primary Group changes. Changes are logged in human readable and if samba has been built with JANSSON support in JSON format. Replicated updates are not logged. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
dsdb: audit samdb and password changes Add audit logging of DSDB operations and password changes, log messages are logged in human readable format and if samba is commpile with JANSSON support in JSON format. Log: * Details all DSDB add, modify and delete operations. Logs attributes, values, session details, transaction id. * Transaction roll backs. * Prepare commit and commit failures. * Summary details of replicated updates. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
dsdb: ensure we take out a read lock during the dsdb_init We have to also take it out in the partitions code when we load the partition backends. This ensures that the init handlers hold a whole-db lock just as the search code does. To ensure the locking count in schema_load is balanced, the private data is now created in the first lock_read() call. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13379 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
dsdb: add lmdbLevelOne as a required feature. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
provision: Changes to support encrypted_secrets module Changes to provision and join to create a database with encrypted_secrets enabled and a key file generated. Also adds the --plaintext-secrets option to join and provision commands to allow the creation of unencrypted databases. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
source4 dsdb: Allow duplicate non local objectSIDs Remove the unique constraint on the objectSID index, and enable the unique_object_sids module. This allows duplicate objectSIDs on foreign security principals, and disallows duplicates for local objectSIDs BUG: https://bugzilla.samba.org/show_bug.cgi?id=13004 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
replmd: check for the sortedLinks feature flag If it is there, we assume linked attributes are stored in a sorted order. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
dsdb: Honour @SAMBA_FEATURES_SUPPORTED flag in @IDXATTR This allows us to detect modification by a Samba version prior to the introduction of the compatibleFeatures logic as this flag will be stripped by the schema load code of older Samba versions. Therefore if it is not present, then remove all compatibleFeatures. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
schema: Set flag into @INDEXLIST to indicate we support feature flags Because @INDEXLIST is rewritten by all Samba versions, we can detect that we have opened the database with an older version that does not support the feature flags by the absense of this in @INDEXLIST Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
samba_dsdb: Use and maintain compatibleFeatures and requiredFeatures in @SAMBA_DSDB This will allow us to introduce new database features that are backward compatible from the point of view of older versions of Samba, but which will be damaged by modifying the database with such a version. For example, if linked attributes are stored in sorted order in 4.7, and this change, without any values in current_supportedFeatures is itself included in 4.6, then our sortedLinks are backward compatible to that release. That is with 4.6 (including this patch) which doesn't care about ordering -- but a downgraded 4.7 database used by 4.6 will be broken when later used with 4.7. If we add a 'sortedLinks' feature flag in compatibleFeatures, we can detect that. This will allow us to determine if the database still contains unsorted links, as that information allows us to make the code handling links much more efficient. We won't add the actual flag until all the code is in place. Andrew wrote the actual code and Douglas wrote the tests, and they cross-reviewed. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Piar-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> selftest: check for database features flags
Revert "dsdb: Disable tombstone_reanimation module until we isolate what causes flaky tests" This reverts commit 252b62c54ed5a4aabbdccf315f1a0ae3d958d11c. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
s4:samba_dsdb: add "dsdb_flags_ignore" module This module removes internal flags from ldb_message_elements. Typically the repl_meta_data module handles DSDB_FLAG_INTERNAL_FORCE_META_DATA, but there're some cases where we don't use that module. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
dsdb: Move operational below repl_meta_data so we can query parentGUID This avoids re-adding the same code in repl_meta_data or making a shared subroutine Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz
Implement Virtual List View (VLV) VLV is a more sophisticated version of a paged searches that allows you to ask for arbitrary windows in a previously performed sorted search. If clients use VLV correctly the original search will not be repeated. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:dsdb: let samba_dsdb make use of the dsdb_notification module This means our LDAP server will support LDB_CONTROL_NOTIFICATION_OID now. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
dsdb: Disable tombstone_reanimation module until we isolate what causes flaky tests Change-Id: I323a2cd5eb2449a44a9cb53abab5a127d21c5967 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4-dsdb: Insert tombstone_reanimate module in ldb modules chain after objectclass Change-Id: Id9748f36f0aefe40b1894ecd2e5071e3b9c8a6d6 Signed-off-by: Kamen Mazdrashki <kamenim@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>