summaryrefslogtreecommitdiff
path: root/source4/dsdb
AgeCommit message (Collapse)AuthorFilesLines
2026-04-08dsdb: use wellknow object IDs for new user and computer objectsBjörn Jacke1-6/+13
this allows redirusr and redircmp to work as expected BUG: https://bugzilla.samba.org/show_bug.cgi?id=9143 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Bjoern Jacke <bjacke@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Apr 8 15:41:21 UTC 2026 on atb-devel-224
2026-02-25dsdb: Simplify samdb_cn_to_lDAPDisplayName()Volker Lendecke1-9/+1
Use GUID_buf_string(), dom_sid_str_buf() and talloc_asprintf_addbuf() Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
2026-02-25dsdb: Simplify drs_ObjectIdentifier_to_debug_string()Volker Lendecke1-13/+10
Use GUID_buf_string(), dom_sid_str_buf() and talloc_asprintf_addbuf() Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
2026-02-25dsdb: Simplify samdb_dn_to_dns_domain() with talloc_asprintf_addbuf()Volker Lendecke1-11/+9
Only check for NULL once Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
2026-01-21lib:ldb-samba:ildap: fix empty attribute list handlingGary Lockyer1-0/+34
An LDB request interprets an empty attribute list as a request for no attributes, but LDAP interprets an empty list as a request for all attributes, and ["1.1"] as a request for no attributes, as per RFC4511:4.5.1.8(SearchRequest.attributes). We need to convert [] to ["1.1"] in the ildap module before the request goes out. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13852 Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> Autobuild-Date(master): Wed Jan 21 03:29:23 UTC 2026 on atb-devel-224
2026-01-15dsdb:password_hash: fix policy_hint controlled reset return codesDouglas Bagnall1-2/+10
Resets are unwilling, not constrained. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12020 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2026-01-15dsdb:password_hash: policy_hints control makes resets check historyDouglas Bagnall1-1/+9
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12020 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2026-01-15dsdb:password_hash: "policy hints" resets honour minPwdAgeDouglas Bagnall1-3/+6
As always, a reset returns UNWILLING_TO_PERFORM even though it is pretending to be a change due to the control. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12020 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2026-01-15pytest:dsdb:password: test policy_hints oidDouglas Bagnall1-0/+308
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12020 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2026-01-15pytest:dsdb:passwords: guess ldaps and ldap hosts from each otherDouglas Bagnall1-0/+8
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12020 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2026-01-15dsdb:password_hash: notice "policy hints" controlDouglas Bagnall1-1/+74
This still doesn't do anything, but it does mean we can set the control in tests without hitting unhandled critical control errors. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12020 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2026-01-15dsdb:password_hash: reject password reset with UNWILLING_TO_PERFORMDouglas Bagnall2-5/+19
This is what Windows does: where a password change would cause CONSTRAINT_VIOLATION, a reset causes UNWILLING_TO_PERFORM. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12020 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2026-01-15dsdb:password_hash: fix a typoDouglas Bagnall1-1/+1
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2025-12-08auth: Use new data_blob_..._s() functions and remove talloc_keep_secret()Pavel Filipenský1-5/+3
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2025-11-24s4:dsdb: Do not declare cm_print_error()Andreas Schneider1-5/+0
This is part of the cmocka.h header file. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Mon Nov 24 11:28:08 UTC 2025 on atb-devel-224
2025-11-20s4:cracknames: initialise a string variableDouglas Bagnall1-1/+1
because later we go ret = krb5_unparse_name_flags([...], &unparsed_name_short); if (ret) { free(unparsed_name_short); return WERR_NOT_ENOUGH_MEMORY; } which is bad if a krb5_unparse_name_flags() errors without setting unparsed_name_short -- not that I see that happening in MIT or Heimdal. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-10-17Add missing include needed for cmocka.hAndreas Schneider7-0/+7
This will be required in future. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
2025-10-10s4:dsdb:audit_log clean up doc commentsGary Lockyer1-86/+98
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-10-10s4:dsdb:audit_log change action for auth infoGary Lockyer2-7/+7
Change the action logged for authentication information changes from "Public key change" to "Auth info change". To reflect that it's not just changes to public keys that get logged. This doesn't require a JSON log format version change, because the version was recently bumped in c9e752ab18f43758d704951f7f31e39dafa6fdb4 and there hasn't been a Samba release in the meantime. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-10-10s4:dsdb:audit_log log auth info changesGary Lockyer3-17/+57
Log changes to altSecurityIdentities, dNSHostName, msDS-additionalDnsHostNames and servicePrincipal name in the same way that changes to mdDS-keyCredentialLink changes are logged. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-09-03dsdb:audit log: cmocka unit tests for KCLDouglas Bagnall1-0/+155
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> Autobuild-Date(master): Wed Sep 3 03:13:47 UTC 2025 on atb-devel-224
2025-09-03dsdb:audit: bump minor version of password logs (1.1 -> 1.2)Douglas Bagnall1-1/+1
In https://wiki.samba.org/index.php/Interpreting_JSON_Audit_Logs we say: > a version number for the JSON format. It has two parts. > > major: incremented if fields change meaning > minor: incremented if a field is added > > A change in possible values does not usually trigger a version > change. This is obviously true for client supplied data, but also > applies to e.g. passwordType, where the set of supported password > formats can change over time without changing the JSON version. The last paragraph explicitly exempts us from a version change for adding a new possible value ("Public key change") to the "action" field. On the other hand we have expanded the scope of the log, which deserves some version recognition. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2025-09-03dsdb:audit: log if msDS-KeyCredentialLink changedDouglas Bagnall1-0/+70
As noted in the comments, by "changed" we mean "set" or "unset". Explicitly re-setting to the current value will be logged as if it were a change. This follows the behaviour of the password fields. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2025-09-03dsdb:audit: password_change loggers take a new flag argumentDouglas Bagnall3-17/+29
This will allow a key credential link change to be logged, but we don't do that anywhere in this commit. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2025-09-03dsdb: audit: replace local min() with libreplace MIN()Douglas Bagnall2-6/+2
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2025-08-31dsdb: Align an integer typeVolker Lendecke1-1/+1
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Sun Aug 31 07:23:20 UTC 2025 on atb-devel-224
2025-08-31dsdb: Fix CID 1665142, Null pointer dereferences (FORWARD_NULL)Volker Lendecke1-6/+9
Do the ADD/MOD early, don't risk dereferencing msg without assignment. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
2025-08-27s4:dsdb:tests: Add tests for msDS-KeyCredentialLink attributeJennifer Sutton1-0/+474
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> Autobuild-Date(master): Wed Aug 27 04:44:59 UTC 2025 on atb-devel-224
2025-08-27s4:dsdb: Implement msDS-KeyCredentialLink attributeJennifer Sutton2-0/+245
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-08-27s4:dsdb:tests: Add get_creds() methodJennifer Sutton1-1/+5
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-08-27s4:dsdb: Remove outdated commentsJennifer Sutton2-4/+0
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-08-27s4:dsdb:tests: Remove outdated commentJennifer Sutton1-2/+0
The relevant tests were enabled in commit 8cb416a0b569017e1928a7a1cead723ce64ca314. Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-08-27s4:dsdb:acl: Fix LDB flags comparisonJennifer Sutton1-2/+2
LDB_FLAG_MOD_* values are not actually flags, and the previous comparison was equivalent to (el->flags & LDB_FLAG_MOD_MASK) == 0 which is only true if none of the LDB_FLAG_MOD_* values are set, so we would not successfully return if the element was a DELETE. Correct the expression to what it was intended to be. Commit 99b805e4cbeec232c65adb1a6f3fb326b55c4496 fixed a similar issue. Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-08-27s4:dsdb: Allow an SPN value to match the original dNSHostName with Validated ↵Jennifer Sutton1-2/+14
Write Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-08-27s4:dsdb:tests: Correct unprefixed f‐stringJennifer Sutton1-5/+2
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-08-27s4:dsdb:tests: Correct test nameJennifer Sutton1-1/+1
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-08-27s4:dsdb:tests: Reformat ACEs to be more readableJennifer Sutton1-50/+25
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-08-27s4:dsdb:tests: Use sAMAccountName GUID constantJennifer Sutton2-2/+3
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-08-26dsdb:password_hash.c: restrict crypt hash to proper formsDouglas Bagnall1-0/+24
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-07-30dsdb: fix bug 15872, use-after-freeDouglas Bagnall1-6/+10
We were finding the old element, reallocing, then copying, which is the wrong order. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15872 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> Autobuild-Date(master): Wed Jul 30 02:03:40 UTC 2025 on atb-devel-224
2025-05-26s4:dsdb: Check dsdb_module_search() return valueJennifer Sutton1-0/+4
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-05-26s4:dsdb: Remove trailing whitespaceJennifer Sutton1-10/+10
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-05-26s4:dsdb: Fix code spellingJennifer Sutton1-1/+1
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-05-26s4:dsdb: Remove unused codeJennifer Sutton2-98/+0
This code has not served a purpose since 2010, when commit 6a2f7fe04c2c658e59fba01f7346303676b121b3 removed dsdb_class_from_drsuapi(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15852 Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-05-26s4:dsdb: Remove trailing whitespaceJennifer Sutton1-6/+6
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15852 Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-05-26s4:dsdb: Use PyLong_FromUnsignedLong() for unsigned valuesJennifer Sutton1-5/+5
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-05-26python:samdb: Add get_searchFlags_from_lDAPDisplayName() methodJennifer Sutton1-0/+34
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15852 Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-05-26python:samdb: Add get_must_contain_from_lDAPDisplayName() methodJennifer Sutton1-0/+89
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15852 Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-05-26python:samdb: Add get_lDAPDisplayName_by_governsID_id() methodJennifer Sutton1-0/+35
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15852 Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-04-03libcli/security: split trust_forest_info_* functions into samba-security-trustsStefan Metzmacher1-1/+1
This will avoid dependency loops in following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-06 18:15:59 +0000