10 years agoautobuild: fixed the --tail option for new log locations
Andrew Tridgell [Fri, 1 Oct 2010 02:41:50 +0000 (19:41 -0700)]
autobuild: fixed the --tail option for new log locations

10 years agos4-rodc: don't set SPECIAL_SECRET_PROCESSING on EXOP_REPL_SECRET
Andrew Tridgell [Thu, 30 Sep 2010 22:24:58 +0000 (15:24 -0700)]

otherwise we don't get the secrets!

Pair-Programmed-With: Andrew Bartlett <>

10 years agos4-spn: don't try and send an empty SPN list
Andrew Tridgell [Thu, 30 Sep 2010 22:02:50 +0000 (15:02 -0700)]
s4-spn: don't try and send an empty SPN list

Pair-Programmed-With: Andrew Bartlett <>

10 years agoselftest: Let selftest provide the tempdir, rather than creating it as sideeffect...
Jelmer Vernooij [Fri, 1 Oct 2010 01:31:06 +0000 (01:31 +0000)]
selftest: Let selftest provide the tempdir, rather than creating it as sideeffect of

10 years agoselftest: fixed a selftest error on sn
Andrew Tridgell [Fri, 1 Oct 2010 00:24:50 +0000 (17:24 -0700)]
selftest: fixed a selftest error on sn

Pair-Programmed-With: Jelmer Vernooij <>

10 years agodelete_object: Remove unnecessary pass calls.
Jelmer Vernooij [Thu, 30 Sep 2010 23:41:58 +0000 (01:41 +0200)]
delete_object: Remove unnecessary pass calls.

10 years agos4-selftest: Remove unnecessary PYTHONPATH overrides.
Jelmer Vernooij [Thu, 30 Sep 2010 23:05:12 +0000 (01:05 +0200)]
s4-selftest: Remove unnecessary PYTHONPATH overrides.

10 years agos4-selftest: Normalize paths.
Jelmer Vernooij [Thu, 30 Sep 2010 16:29:58 +0000 (18:29 +0200)]
s4-selftest: Normalize paths.

10 years agos4-selftest: Finish conversion of to Python.
Jelmer Vernooij [Thu, 30 Sep 2010 16:23:20 +0000 (18:23 +0200)]
s4-selftest: Finish conversion of to Python.

10 years agos4-selftest: Convert to Python.
Jelmer Vernooij [Thu, 30 Sep 2010 12:55:04 +0000 (14:55 +0200)]
s4-selftest: Convert to Python.

10 years agoautobuild: push of ref/notes/commits isn't allowed in master
Andrew Tridgell [Thu, 30 Sep 2010 21:42:02 +0000 (14:42 -0700)]
autobuild: push of ref/notes/commits isn't allowed in master

metze may enable this later

Autobuild-User: Andrew Tridgell <>
Autobuild-Date: Thu Sep 30 22:25:02 UTC 2010 on sn-devel-104

10 years agos4-provision: wipe the old keytabs when provisioning
Andrew Tridgell [Thu, 30 Sep 2010 19:45:00 +0000 (12:45 -0700)]
s4-provision: wipe the old keytabs when provisioning

Pair-Programmed-With: Andrew Bartlett <>

10 years agos4-rodc: fixed the keyVersionNumber on the RODC account in secrets.keytab
Andrew Tridgell [Thu, 30 Sep 2010 19:44:39 +0000 (12:44 -0700)]
s4-rodc: fixed the keyVersionNumber on the RODC account in secrets.keytab

we need to fetch the msDS-keyVersionNumber from the writeable DC

Pair-Programmed-With: Andrew Bartlett <>

10 years agos4-drs: put the GCSPN flag into the repsTo if requested
Andrew Tridgell [Thu, 30 Sep 2010 19:43:45 +0000 (12:43 -0700)]
s4-drs: put the GCSPN flag into the repsTo if requested

Pair-Programmed-With: Andrew Bartlett <>

10 years agos4-libnet: wipe the old keytab when exporting
Andrew Tridgell [Thu, 30 Sep 2010 19:43:14 +0000 (12:43 -0700)]
s4-libnet: wipe the old keytab when exporting

this prevents confusion with old keytab entries

Pair-Programmed-With: Andrew Bartlett <>

10 years agos4-dsdb: silence the domainFunctionality not setup warning
Andrew Tridgell [Thu, 30 Sep 2010 19:42:35 +0000 (12:42 -0700)]
s4-dsdb: silence the domainFunctionality not setup warning

10 years agoautobuild: added much better email reporting
Andrew Tridgell [Thu, 30 Sep 2010 17:41:36 +0000 (10:41 -0700)]
autobuild: added much better email reporting

logs are now accessible via

10 years agoautobuild: fixed exit status
Andrew Tridgell [Thu, 30 Sep 2010 16:37:42 +0000 (09:37 -0700)]
autobuild: fixed exit status

this should fix the case where we don't send logs on failure

10 years agos4-drs: added support for level 10 of getncchanges
Andrew Tridgell [Thu, 30 Sep 2010 06:30:18 +0000 (23:30 -0700)]
s4-drs: added support for level 10 of getncchanges

added a simple mapping from req8

10 years agoLDAPCmp feature to compare nTSecurityDescriptors
Zahari Zahariev [Thu, 30 Sep 2010 01:13:02 +0000 (04:13 +0300)]
LDAPCmp feature to compare nTSecurityDescriptors

New feature that enables LDAPCmp users to find unmatched or
missing ACEs in objects for the three naming contexts between
DCs in one domain (default) or different domains. Comparing
security descriptors is not the default action but attribute
compatison. So to activate the new mode there is --sd switch.
However there are two view modes to the new --sd action which
are 'section' (default) or 'collision'. In 'section' mode you
can only find differences connected to missing or value
unmatched ACEs but not disorder unmatch if ACE values and count
are the same. All of the mentioned differences plus disorder
ACE unmatch you can observe under 'collision' view however
it is more verbose.

Signed-off-by: Anatoliy Atanasov <>
10 years agos3: Add "smbcontrol winbindd ip-dropped <local-ip>"
Volker Lendecke [Wed, 29 Sep 2010 10:17:05 +0000 (12:17 +0200)]
s3: Add "smbcontrol winbindd ip-dropped <local-ip>"

This is supposed to improve the winbind reconnect time after an ip address
has been moved away from a box. Any kind of HA scenario will benefit from
this, because winbindd does not have to wait for the TCP timeout to kick in
when a local IP address has been dropped and DC replies are not received

10 years agos3: Re-introduce a procid_self()
Volker Lendecke [Thu, 30 Sep 2010 14:27:42 +0000 (16:27 +0200)]
s3: Re-introduce a procid_self()

Giving the parent pid to reinit_after_fork is not a good idea....
None of the other callers do this, checked it.

10 years agos3: Fix a typo in dump-domain-list smbcontrol usage msg
Volker Lendecke [Thu, 30 Sep 2010 13:17:09 +0000 (15:17 +0200)]
s3: Fix a typo in dump-domain-list smbcontrol usage msg

10 years agos4-selftest: Add some more comments to skip file.
Jelmer Vernooij [Thu, 30 Sep 2010 08:31:38 +0000 (10:31 +0200)]
s4-selftest: Add some more comments to skip file.

10 years agoselftest: Eliminate some unnecessary spaces.
Jelmer Vernooij [Thu, 30 Sep 2010 08:31:29 +0000 (10:31 +0200)]
selftest: Eliminate some unnecessary spaces.

10 years agoselftest: Avoid accessing deprecated BaseException.message.
Jelmer Vernooij [Thu, 30 Sep 2010 08:31:03 +0000 (10:31 +0200)]
selftest: Avoid accessing deprecated BaseException.message.

Thanks to Andreas for pointing this out.

10 years agosubunit: Import new upstream snapshot (adds subunit_progress())
Jelmer Vernooij [Thu, 30 Sep 2010 07:29:42 +0000 (09:29 +0200)]
subunit: Import new upstream snapshot (adds subunit_progress())

10 years agotesttools: Import new upstream snapshot.
Jelmer Vernooij [Thu, 30 Sep 2010 07:18:01 +0000 (09:18 +0200)]
testtools: Import new upstream snapshot.

10 years agos4-drepl: don't call UpdateRefs on a RODC
Andrew Tridgell [Thu, 30 Sep 2010 05:08:48 +0000 (22:08 -0700)]
s4-drepl: don't call UpdateRefs on a RODC

we use the ADD_REF bit in getncchanges instead

Pair-Programmed-With: Anatoliy Atanasov <>

10 years agos4-drepl: fixed the checking of replica_flags in the drepl server
Andrew Tridgell [Thu, 30 Sep 2010 05:04:21 +0000 (22:04 -0700)]
s4-drepl: fixed the checking of replica_flags in the drepl server

we were incorrectly avoiding a getncchanges when WRIT_REP was not set

Pair-Programmed-With: Anatoliy Atanasov <>

10 years agos4-kcc: fixed the replica_flags in repsFrom in the kcc
Andrew Tridgell [Thu, 30 Sep 2010 05:03:35 +0000 (22:03 -0700)]
s4-kcc: fixed the replica_flags in repsFrom in the kcc

if our calculated replica_flags doesn't match the ones in our repsFrom
then update it

Pair-Programmed-With: Anatoliy Atanasov <>

10 years agoidl-drsuapi: fixed another replica_flags that should use the bitmap
Andrew Tridgell [Thu, 30 Sep 2010 05:02:54 +0000 (22:02 -0700)]
idl-drsuapi: fixed another replica_flags that should use the bitmap

Pair-Programmed-With: Anatoliy Atanasov <>

10 years agos4-dns: send A record updates via TKEY
Andrew Tridgell [Thu, 30 Sep 2010 00:33:49 +0000 (17:33 -0700)]
s4-dns: send A record updates via TKEY

10 years agos3-spoolss: make sure to exit early and with the appropriate error code in
Günther Deschner [Thu, 30 Sep 2010 00:28:41 +0000 (02:28 +0200)]
s3-spoolss: make sure to exit early and with the appropriate error code in


10 years agospoolss: use the correct flags for spoolss_PrinterInfo1 struct.
Günther Deschner [Thu, 30 Sep 2010 00:05:36 +0000 (02:05 +0200)]
spoolss: use the correct flags for spoolss_PrinterInfo1 struct.


10 years agos3-spoolss: Fix servername/printername handling which turns out to be very important...
Günther Deschner [Wed, 29 Sep 2010 02:51:56 +0000 (04:51 +0200)]
s3-spoolss: Fix servername/printername handling which turns out to be very important to get right.


10 years agos4-smbtorture: add new EnumPrinters test to test printername/servername
Günther Deschner [Wed, 29 Sep 2010 02:49:57 +0000 (04:49 +0200)]
s4-smbtorture: add new EnumPrinters test to test printername/servername
behaviour in EnumPrinter and GetPrinter calls.


10 years agos4-samldb: also set a password on the krbtgt_NNNN account
Andrew Tridgell [Wed, 29 Sep 2010 23:35:52 +0000 (16:35 -0700)]
s4-samldb: also set a password on the krbtgt_NNNN account

when we setup the krbtgt_NNNN account using the DCPROMO_OID control,
we also need to set an initial password for this account

Pair-Programmed-With: Andrew Bartlett <>

10 years agos4-devel: added new options to getncchanges script
Andrew Tridgell [Wed, 29 Sep 2010 22:50:04 +0000 (15:50 -0700)]
s4-devel: added new options to getncchanges script

added --pas, --dest-dsa and --replica-flags options

Pair-Programmed-With: Anatoliy Atanasov <>

10 years agos4-drs: implement PAS checks and access checks for getncchanges
Andrew Tridgell [Wed, 29 Sep 2010 22:49:15 +0000 (15:49 -0700)]
s4-drs: implement PAS checks and access checks for getncchanges

This implements partial attribute set checking on getncchanges. If the
client sends a partial_attribute_set then we only return the specified

This also implements access checking on the NC root for the access
right GUIDs for requests with and without reveal secrets

Pair-Programmed-With: Anatoliy Atanasov <>

10 years agos4-drs: added drs_security_access_check_nc_root()
Andrew Tridgell [Wed, 29 Sep 2010 22:46:23 +0000 (15:46 -0700)]
s4-drs: added drs_security_access_check_nc_root()

this checks securiity on the NC root of the specified naming context

10 years agoutil: added BINARY_ARRAY_SEARCH_V()
Andrew Tridgell [Wed, 29 Sep 2010 22:45:27 +0000 (15:45 -0700)]

this is used to search an array of values

10 years agos4-sam: added DOMAIN_RID_ENTERPRISE_READONLY_DCS for RODCs in the PAC
Andrew Tridgell [Wed, 29 Sep 2010 06:19:26 +0000 (23:19 -0700)]

Pair-Programmed-With: Andrew Bartlett <>

10 years agolibds: added more UF_ -> ACB_ flags mappings
Andrew Tridgell [Wed, 29 Sep 2010 06:18:47 +0000 (23:18 -0700)]
libds: added more UF_ -> ACB_ flags mappings

Pair-Programmed-With: Andrew Bartlett <>
Pair-Programmed-With: Stefan Metzmacher <>

10 years agomidltests: add midltests-pipe-sync-ndr32-downgrade-02.idl
Stefan Metzmacher [Wed, 29 Sep 2010 08:47:34 +0000 (10:47 +0200)]
midltests: add midltests-pipe-sync-ndr32-downgrade-02.idl


10 years agomidltests: support for fragmented RPC traffic
Stefan Metzmacher [Wed, 29 Sep 2010 07:37:05 +0000 (09:37 +0200)]
midltests: support for fragmented RPC traffic


10 years agomidltests: print out the alloc_hint for requests and responses
Stefan Metzmacher [Wed, 29 Sep 2010 07:06:58 +0000 (09:06 +0200)]
midltests: print out the alloc_hint for requests and responses


10 years agomidltests: improve NDR64 downgrade
Stefan Metzmacher [Wed, 29 Sep 2010 04:03:08 +0000 (06:03 +0200)]
midltests: improve NDR64 downgrade


10 years agomidltests: revert to a simple default midltests.idl
Stefan Metzmacher [Wed, 29 Sep 2010 08:28:29 +0000 (10:28 +0200)]
midltests: revert to a simple default midltests.idl


10 years agos3-waf: add basic make test infrastructure, not able to test yet.
Günther Deschner [Wed, 29 Sep 2010 06:54:00 +0000 (08:54 +0200)]
s3-waf: add basic make test infrastructure, not able to test yet.


10 years agos3-waf: clean up socket-wrapper and nss-wrapper a little.
Günther Deschner [Wed, 29 Sep 2010 06:49:39 +0000 (08:49 +0200)]
s3-waf: clean up socket-wrapper and nss-wrapper a little.


10 years agos3-waf: add vlp binary.
Günther Deschner [Wed, 29 Sep 2010 06:48:49 +0000 (08:48 +0200)]
s3-waf: add vlp binary.


10 years agos4-spnupdate: when we are a RODC we need to use the WriteSPN DRS call
Andrew Tridgell [Wed, 29 Sep 2010 03:47:03 +0000 (20:47 -0700)]
s4-spnupdate: when we are a RODC we need to use the WriteSPN DRS call

we can't do SPN updates via sam writes and replication, as the sam is

10 years agos4-drsutils: expose DsBind() call in
Andrew Tridgell [Wed, 29 Sep 2010 03:46:15 +0000 (20:46 -0700)]
s4-drsutils: expose DsBind() call in

this will be used by samba_spnupdate

10 years agos4-kerberos: use TZ=GMT when we are invoking krb5 code in helpers
Andrew Tridgell [Wed, 29 Sep 2010 03:43:58 +0000 (20:43 -0700)]
s4-kerberos: use TZ=GMT when we are invoking krb5 code in helpers

Our helper scripts can fail on Fedora with the PDT timezone (Western
USA). This is the same issue we found with Heimdal earlier today, the
24 second difference between GMT and UTC, but this time in MIT
Kerberos as linked into bind9.

By forcing TZ=GMT in these scripts we avoid the problem

Pair-Programmed-With: Andrew Bartlett <>

10 years agos4-rodc: RODC should not accept requests for role transfer
Nadezhda Ivanova [Wed, 29 Sep 2010 02:35:56 +0000 (19:35 -0700)]
s4-rodc: RODC should not accept requests for role transfer

A RODC cannot assume a role, and unwillingToPerform must be
returned if such request is sent via LDAP

10 years agos4-provision: simplify our generated krb5.conf
Andrew Tridgell [Wed, 29 Sep 2010 02:11:34 +0000 (19:11 -0700)]
s4-provision: simplify our generated krb5.conf

we don't want to force the KDC to be ourselves, we should
be using DNS to find a live KDC. Also remove some other options and
allow the krb5 lib to use defaults.

Pair-Programmed-With: Andrew Bartlett <>

10 years agos4-kdc: RODC DCs should be able to produce forwardable tickets
Andrew Tridgell [Wed, 29 Sep 2010 02:10:27 +0000 (19:10 -0700)]
s4-kdc: RODC DCs should be able to produce forwardable tickets

Pair-Programmed-With: Andrew Bartlett <>

10 years agoheimdal: fixed timegm UTC/GMT bug
Andrew Tridgell [Wed, 29 Sep 2010 02:09:58 +0000 (19:09 -0700)]
heimdal: fixed timegm UTC/GMT bug

This was a wonderful bug!

On some Fedora systems, but not on Ubuntu, there is a difference
between UTC and GMT. Heimdal replaced timegm() with _der_timegm()
which did not account for that difference (which is 24 seconds at the
moment). This led to a mutual authentication failure.

Pair-Programmed-With: Andrew Bartlett <>

10 years agos4-sam: fixed termination of krbtgt_attrs (comma and NULL)
Andrew Tridgell [Wed, 29 Sep 2010 02:07:43 +0000 (19:07 -0700)]
s4-sam: fixed termination of krbtgt_attrs (comma and NULL)

Pair-Programmed-With: Andrew Bartlett <>

10 years agoldb-dn: don't crash on NULL in ldb_binary_encode_string()
Andrew Tridgell [Wed, 29 Sep 2010 01:01:21 +0000 (18:01 -0700)]
ldb-dn: don't crash on NULL in ldb_binary_encode_string()

Thanks to Nadya for finding this one!

10 years agos4-kdc Ensure that an RODC may act as a server (needed to fill
Andrew Bartlett [Tue, 28 Sep 2010 23:06:39 +0000 (09:06 +1000)]
s4-kdc Ensure that an RODC may act as a server (needed to fill
the krbtgt role).

Andrew Bartlett

10 years agoheimdal Use a seperate krb5_auth_context for the delegated credentials
Andrew Bartlett [Tue, 28 Sep 2010 20:44:33 +0000 (06:44 +1000)]
heimdal Use a seperate krb5_auth_context for the delegated credentials

If we re-use this context, we overwrite the timestamp while talking
to the KDC and fail the mutual authentiation with the target server.

Andrew Bartlett

10 years agomidltests/todo: add some random idl files I had tested month ago
Stefan Metzmacher [Tue, 28 Sep 2010 07:57:22 +0000 (09:57 +0200)]
midltests/todo: add some random idl files I had tested month ago


10 years agomidltests: add midltests-pipe-sync-ndr32-downgrade-01.idl example
Stefan Metzmacher [Wed, 29 Sep 2010 00:36:51 +0000 (02:36 +0200)]
midltests: add midltests-pipe-sync-ndr32-downgrade-01.idl example


10 years agomidltests: add some usefull defines to midltests.idl
Stefan Metzmacher [Wed, 29 Sep 2010 00:50:19 +0000 (02:50 +0200)]
midltests: add some usefull defines to midltests.idl


10 years agomidltests: make it possible to allow downgrades to NDR32
Stefan Metzmacher [Wed, 29 Sep 2010 00:35:54 +0000 (02:35 +0200)]
midltests: make it possible to allow downgrades to NDR32


10 years agomidltests: add a midltests_tcp.exe tool
Stefan Metzmacher [Tue, 28 Sep 2010 09:04:59 +0000 (11:04 +0200)]
midltests: add a midltests_tcp.exe tool

This uses a man in the middle approach in order to dump the
request and response pdus.

It also tests NDR32 and NDR64.


10 years agomidltests: move the current implementation to midltests_simple.exe
Stefan Metzmacher [Tue, 28 Sep 2010 08:50:05 +0000 (10:50 +0200)]
midltests: move the current implementation to midltests_simple.exe


10 years agotestprogs/win32: add vs2010-metze.cmd
Stefan Metzmacher [Tue, 28 Sep 2010 07:47:55 +0000 (09:47 +0200)]
testprogs/win32: add vs2010-metze.cmd


10 years agos3-printing: skip metadata entry when traversing printerlist.
Günther Deschner [Tue, 28 Sep 2010 23:18:07 +0000 (01:18 +0200)]
s3-printing: skip metadata entry when traversing printerlist.

We were creating a new printer (with a very broken name) out of the
lasttimestamp entry all the time.

Simo, please check.


10 years agopidl: add support for pointers in typedefs
Stefan Metzmacher [Wed, 5 Aug 2009 11:43:49 +0000 (13:43 +0200)]
pidl: add support for pointers in typedefs


10 years agopidl:NDR/Parser: remove unused code for array element index
Stefan Metzmacher [Tue, 21 Sep 2010 08:34:30 +0000 (10:34 +0200)]
pidl:NDR/Parser: remove unused code for array element index


10 years agopidl:NDR/Parser: simplify logic in ParseMemCtxPullFlags()
Stefan Metzmacher [Tue, 21 Sep 2010 01:48:09 +0000 (03:48 +0200)]
pidl:NDR/Parser: simplify logic in ParseMemCtxPullFlags()


10 years agopidl:NDR/Client: make the generated code look a bit nicer
Stefan Metzmacher [Tue, 21 Sep 2010 01:41:03 +0000 (03:41 +0200)]
pidl:NDR/Client: make the generated code look a bit nicer


10 years agolibrpc/ndr: remove 'async' from ndr_interface_call
Stefan Metzmacher [Mon, 20 Sep 2010 22:44:30 +0000 (00:44 +0200)]
librpc/ndr: remove 'async' from ndr_interface_call


10 years agopidl: remove unused async property handling
Stefan Metzmacher [Mon, 20 Sep 2010 22:41:29 +0000 (00:41 +0200)]
pidl: remove unused async property handling


10 years agopidl/Python: use has_property($d, "noopnum") helper function
Stefan Metzmacher [Tue, 21 Sep 2010 01:10:10 +0000 (03:10 +0200)]
pidl/Python: use has_property($d, "noopnum") helper function


10 years agopidl:NDR/ remove unreached code
Stefan Metzmacher [Tue, 21 Sep 2010 01:05:41 +0000 (03:05 +0200)]
pidl:NDR/ remove unreached code


10 years agopidl/Python: remove todo handling from PythonFunction(), it's done by the caller
Stefan Metzmacher [Tue, 21 Sep 2010 00:17:21 +0000 (02:17 +0200)]
pidl/Python: remove todo handling from PythonFunction(), it's done by the caller


10 years agopidl/Typelist: let typeIs() do TYPEDEF dereference in the HASH case
Stefan Metzmacher [Mon, 20 Sep 2010 23:40:56 +0000 (01:40 +0200)]
pidl/Typelist: let typeIs() do TYPEDEF dereference in the HASH case


10 years agos3-waf: add in a little hack to deal with the ECHO rpc module for non-developer builds.
Günther Deschner [Tue, 28 Sep 2010 20:53:08 +0000 (22:53 +0200)]
s3-waf: add in a little hack to deal with the ECHO rpc module for non-developer builds.

This will be removed once we have the rpc modules subsystem in place.


10 years agoautobuild: use git notes for autobuild messages
Andrew Tridgell [Tue, 28 Sep 2010 18:24:37 +0000 (11:24 -0700)]
autobuild: use git notes for autobuild messages

This avoids changing the commit ID when we add a note that the
autobuild has passed

thanks to Jelmer for this suggestion!

10 years agoselftest: enable FAIL_IMMEDIATELY in autobuild make test
Andrew Tridgell [Tue, 28 Sep 2010 18:23:35 +0000 (11:23 -0700)]
selftest: enable FAIL_IMMEDIATELY in autobuild make test

this should reduce the time we wait for previous failing builds.

Right now this will only work for s4, as we need a makefile change for
s3 support

10 years agos4-drs: added support for DRSUAPI_EXOP_REPL_OBJ
Andrew Tridgell [Tue, 28 Sep 2010 17:48:38 +0000 (10:48 -0700)]
s4-drs: added support for DRSUAPI_EXOP_REPL_OBJ

this extended getncchanges operation replicates a single object

10 years agoldb-tdb: ignore failure to register control on rootdse
Andrew Tridgell [Tue, 28 Sep 2010 17:46:03 +0000 (10:46 -0700)]
ldb-tdb: ignore failure to register control on rootdse

this is expected for non-sam LDBs

10 years agos4-drs: use drs_ObjectIdentifier_*() calls in getncchanges
Andrew Tridgell [Tue, 28 Sep 2010 17:40:18 +0000 (10:40 -0700)]
s4-drs: use drs_ObjectIdentifier_*() calls in getncchanges

this allows for replication by GUID or SID

10 years agos4-drs: moved the drs_ObjectIdentifier handling to dsdb_dn.c
Andrew Tridgell [Tue, 28 Sep 2010 17:39:52 +0000 (10:39 -0700)]
s4-drs: moved the drs_ObjectIdentifier handling to dsdb_dn.c

this will be used outside of the drs server.

This also fixes the handling of the ndr_size elements of the

10 years agowaf: we don't need the preprocessor recursion limit any more
Andrew Tridgell [Tue, 28 Sep 2010 17:38:40 +0000 (10:38 -0700)]
waf: we don't need the preprocessor recursion limit any more

thanks to ita for this

10 years agos4-drs: Added check for drs-manage-topology to updateRefs.
Nadezhda Ivanova [Mon, 27 Sep 2010 04:16:47 +0000 (21:16 -0700)]
s4-drs: Added check for drs-manage-topology to updateRefs.

10 years agos4-drs: Added drs_security_access_check function
Nadezhda Ivanova [Mon, 27 Sep 2010 04:14:45 +0000 (21:14 -0700)]
s4-drs: Added drs_security_access_check function

It takes a security token, an ldb_context, and the desired CAR and checks
if the principal has this CAR granted

10 years agos4-dsdb: adapted check_access_on_dn for use in drs.
Nadezhda Ivanova [Mon, 27 Sep 2010 04:12:48 +0000 (21:12 -0700)]
s4-dsdb: adapted check_access_on_dn for use in drs.

10 years agoheimdal Fix DNS name qualification to not mangle IP addresses
Andrew Bartlett [Tue, 28 Sep 2010 17:59:15 +0000 (03:59 +1000)]
heimdal Fix DNS name qualification to not mangle IP addresses

If the host running this code used IPv6 forms for IPv4 addreses
then the check for '.' would not be sufficient to determine that this
isn't a name we should mangle.  Instead, check if it can be parsed
as a numeric address first, and only then mangle.

Andrew Bartlett

10 years agos4-kdc Handle the case where we may be given a ticket from an RODC in db layer
Andrew Bartlett [Tue, 28 Sep 2010 03:13:28 +0000 (13:13 +1000)]
s4-kdc Handle the case where we may be given a ticket from an RODC in db layer

This includes rewriting the PAC if the original krbtgt isn't to be
trusted, and reading different entries from the DB for the krbtgt
depending on the krbtgt number.

Andrew Bartlett

10 years agoheimdal Add an error code for use in the RODC
Andrew Bartlett [Tue, 28 Sep 2010 03:10:24 +0000 (13:10 +1000)]
heimdal Add an error code for use in the RODC

In this case, the whole request packet should be forwarded to
a real KDC, with full secrets, as we don't have the password.

This could also be used to implement 'play dead when the LDAP
server is down'.

Andrew Bartlett

10 years agoheimdal Add support for extracting a particular KVNO from the database
Andrew Bartlett [Tue, 28 Sep 2010 03:07:53 +0000 (13:07 +1000)]
heimdal Add support for extracting a particular KVNO from the database

This should allow master key rollover.

(but the real reason is to allow multiple krbtgt accounts, as used by
Active Directory to implement RODC support)

Andrew Bartlett

10 years agos4-kdc Add common setup, handle RODC setup case
Andrew Bartlett [Tue, 28 Sep 2010 03:05:37 +0000 (13:05 +1000)]
s4-kdc Add common setup, handle RODC setup case

This means we just set up the system_session etc in one place
and don't diverge between the MIT and Heimdal plugins.

We also now determine if we are an RODC and store some details
that we will need later.

Andrew Bartlett

10 years agos4-dsdb Add ldb_reset_err_string() when we set error codes.
Andrew Bartlett [Tue, 28 Sep 2010 02:57:15 +0000 (12:57 +1000)]
s4-dsdb Add ldb_reset_err_string() when we set error codes.

If we don't we could show an old, incrorrect error

10 years agos4-dsdb Make samdb_reference_dn() use dsdb_search() and DSDB_SEARCH_ONE_ONLY
Andrew Bartlett [Tue, 28 Sep 2010 02:55:48 +0000 (12:55 +1000)]
s4-dsdb Make samdb_reference_dn() use dsdb_search() and DSDB_SEARCH_ONE_ONLY

This simplifies the function.  While doing so, also change the error
string setting to set a really clear error string for the failure to find
and failure to parse cases.

Andrew Bartlett

10 years agos4-kdc Add function to determine if a hdb entry is a RODC
Andrew Bartlett [Tue, 28 Sep 2010 02:53:06 +0000 (12:53 +1000)]
s4-kdc Add function to determine if a hdb entry is a RODC

This is important, as we must ignore the PAC from an RODC.

Andrew Bartlett