The branch, master has been updated
via 09135ee5a09a8b6aabf88c1bdf9280065c8b35e7 (commit)
via 2fc5331e5c23e3f448b53fa7838e478772d0caed (commit)
from 7889823783625e16e273770f73f285920828e411 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 09135ee5a09a8b6aabf88c1bdf9280065c8b35e7
Author: Andrew Bartlett <abart...@samba.org>
Date: Sat Jul 18 10:15:55 2009 +1000
s4:kdc Add in a simple check for constrained delegation to self
To do this properly, we must use the PAC, but for now this is enough
to check that we are delegating to another name on the same host
(which must be safe).
(Windows 7 does this a lot, also noted in bug 6273)
Andrew Bartlett
commit 2fc5331e5c23e3f448b53fa7838e478772d0caed
Author: Matthias Dieter Wallnöfer <mwallnoe...@yahoo.de>
Date: Fri Jul 10 12:48:18 2009 +0200
[SAMBA 4 directory] Refactoring and clean up of directory structure
- Adds more system objects which make sense to have them in SAMBA 4 also to
have them when we add more and more services related to the directory
(volume
support, DFS, replication service, COM...)
- Make sure that "isCriticalSystemObject" and "showInAdvancedViewOnly"
attributes
are set correctly on each object
-----------------------------------------------------------------------
Summary of changes:
source4/kdc/hdb-samba4.c | 71 ++++++++++-
source4/setup/provision.ldif | 184 ++++++++++++++++++++-----
source4/setup/provision_basedn_modify.ldif | 6 +-
source4/setup/provision_computers_modify.ldif | 6 +-
source4/setup/provision_configuration.ldif | 1 +
source4/setup/provision_group_policy.ldif | 11 --
source4/setup/provision_self_join.ldif | 5 +-
source4/setup/provision_users.ldif | 26 +---
source4/setup/provision_users_modify.ldif | 6 +-
source4/setup/schema_samba4.ldif | 3 -
10 files changed, 237 insertions(+), 82 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 435282a..cadbe33 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -1422,6 +1422,75 @@ static krb5_error_code hdb_samba4_destroy(krb5_context
context, HDB *db)
return 0;
}
+krb5_error_code hdb_samba4_check_constrained_delegation(krb5_context context,
HDB *db,
+ hdb_entry_ex *entry,
+ krb5_const_principal
target_principal)
+{
+ struct ldb_context *ldb_ctx = (struct ldb_context *)db->hdb_db;
+ struct loadparm_context *lp_ctx =
talloc_get_type(ldb_get_opaque(ldb_ctx, "loadparm"),
+ struct
loadparm_context);
+ krb5_error_code ret;
+ krb5_principal enterprise_prinicpal = NULL;
+ struct ldb_dn *realm_dn;
+ struct ldb_message *msg;
+ struct dom_sid *orig_sid;
+ struct dom_sid *target_sid;
+ struct hdb_ldb_private *p = talloc_get_type(entry->ctx, struct
hdb_ldb_private);
+ const char *delegation_check_attrs[] = {
+ "objectSid", NULL
+ };
+
+ TALLOC_CTX *mem_ctx = talloc_named(db, 0,
"hdb_samba4_check_constrained_delegation");
+
+ if (!mem_ctx) {
+ ret = ENOMEM;
+ krb5_set_error_message(context, ret, "hdb_samba4_fetch:
talloc_named() failed!");
+ return ret;
+ }
+
+ if (target_principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+ /* Need to reparse the enterprise principal to find the real
target */
+ if (target_principal->name.name_string.len != 1) {
+ ret = KRB5_PARSE_MALFORMED;
+ krb5_set_error_message(context, ret,
"hdb_samba4_check_constrained_delegation: request for delegation to enterprise
principal with wrong (%d) number of components",
+
target_principal->name.name_string.len);
+ talloc_free(mem_ctx);
+ return ret;
+ }
+ ret = krb5_parse_name(context,
target_principal->name.name_string.val[0],
+ &enterprise_prinicpal);
+ if (ret) {
+ talloc_free(mem_ctx);
+ return ret;
+ }
+ target_principal = enterprise_prinicpal;
+ }
+
+ ret = hdb_samba4_lookup_server(context, db, lp_ctx, mem_ctx,
target_principal,
+ delegation_check_attrs, &realm_dn, &msg);
+
+ krb5_free_principal(context, enterprise_prinicpal);
+
+ if (ret != 0) {
+ talloc_free(mem_ctx);
+ return ret;
+ }
+
+ orig_sid = samdb_result_dom_sid(mem_ctx, p->msg, "objectSid");
+ target_sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid");
+
+ /* Allow delegation to the same principal, even if by a different
+ * name. The easy and safe way to prove this is by SID
+ * comparison */
+ if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) {
+ talloc_free(mem_ctx);
+ return KRB5KDC_ERR_BADOPTION;
+ }
+
+ talloc_free(mem_ctx);
+ return ret;
+}
+
/* This interface is to be called by the KDC, which is expecting Samba
* calling conventions. It is also called by a wrapper
* (hdb_ldb_create) from the kpasswdd -> krb5 -> keytab_hdb -> hdb
@@ -1486,7 +1555,7 @@ NTSTATUS kdc_hdb_samba4_create(TALLOC_CTX *mem_ctx,
(*db)->hdb_destroy = hdb_samba4_destroy;
(*db)->hdb_auth_status = NULL;
- (*db)->hdb_check_constrained_delegation = NULL;
+ (*db)->hdb_check_constrained_delegation =
hdb_samba4_check_constrained_delegation;
return NT_STATUS_OK;
}
diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
index e5b20d0..9f50b45 100644
--- a/source4/setup/provision.ldif
+++ b/source4/setup/provision.ldif
@@ -1,7 +1,28 @@
+dn: CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: builtinDomain
+forceLogoff: -9223372036854775808
+lockoutDuration: -18000000000
+lockOutObservationWindow: -18000000000
+lockoutThreshold: 0
+maxPwdAge: -37108517437440
+minPwdAge: 0
+minPwdLength: 0
+modifiedCountAtLastProm: 0
+nextRid: 1000
+pwdProperties: 0
+pwdHistoryLength: 0
+objectSid: S-1-5-32
+serverState: 1
+uASCompat: 1
+modifiedCount: 1
+systemFlags: -1946157056
+isCriticalSystemObject: TRUE
+showInAdvancedViewOnly: FALSE
+
dn: OU=Domain Controllers,${DOMAINDN}
objectClass: top
objectClass: organizationalUnit
-cn: Domain Controllers
description: Default container for domain controllers
systemFlags: -1946157056
isCriticalSystemObject: TRUE
@@ -10,82 +31,171 @@ showInAdvancedViewOnly: FALSE
dn: CN=ForeignSecurityPrincipals,${DOMAINDN}
objectClass: top
objectClass: container
-cn: ForeignSecurityPrincipals
description: Default container for security identifiers (SIDs) associated with
objects from external, trusted domains
systemFlags: -1946157056
isCriticalSystemObject: TRUE
showInAdvancedViewOnly: FALSE
+dn: CN=Infrastructure,${DOMAINDN}
+objectClass: top
+objectClass: infrastructureUpdate
+systemFlags: -1946157056
+fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=LostAndFound,${DOMAINDN}
+objectClass: top
+objectClass: lostAndFound
+description: Default container for orphaned objects
+systemFlags: -1946157056
+isCriticalSystemObject: TRUE
+
+dn: CN=NTDS Quotas,${DOMAINDN}
+objectClass: top
+objectClass: msDS-QuotaContainer
+description: Quota specifications container
+msDS-TombstoneQuotaFactor: 100
+systemFlags: -1946157056
+isCriticalSystemObject: TRUE
+
+dn: CN=Program Data,${DOMAINDN}
+objectClass: top
+objectClass: container
+description: Default location for storage of application data.
+
+dn: CN=Microsoft,CN=Program Data,${DOMAINDN}
+objectClass: top
+objectClass: container
+description: Default location for storage of Microsoft application data.
+
dn: CN=System,${DOMAINDN}
objectClass: top
objectClass: container
-cn: System
description: Builtin system settings
systemFlags: -1946157056
isCriticalSystemObject: TRUE
-dn: CN=RID Manager$,CN=System,${DOMAINDN}
-objectclass: top
-objectclass: rIDManager
-cn: RID Manager$
+dn: CN=AdminSDHolder,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: container
systemFlags: -1946157056
isCriticalSystemObject: TRUE
-fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
-rIDAvailablePool: 4611686014132423217
+
+dn: CN=ComPartitions,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: container
+systemFlags: -1946157056
+isCriticalSystemObject: TRUE
+
+dn: CN=ComPartitionSets,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: container
+systemFlags: -1946157056
+isCriticalSystemObject: TRUE
+
+dn: CN=Default Domain Policy,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: leaf
+objectClass: domainPolicy
+isCriticalSystemObject: TRUE
+
+dn: CN=AppCategories,CN=Default Domain Policy,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: classStore
+isCriticalSystemObject: TRUE
+
+dn: CN=Dfs-Configuration,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: dfsConfiguration
+isCriticalSystemObject: TRUE
+showInAdvancedViewOnly: FALSE
dn: CN=DomainUpdates,CN=System,${DOMAINDN}
objectClass: top
objectClass: container
-cn: DomainUpdates
+
+dn: CN=Operations,CN=DomainUpdates,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: container
dn: CN=Windows2003Update,CN=DomainUpdates,CN=System,${DOMAINDN}
objectClass: top
objectClass: container
-cn: Windows2003Update
revision: 8
-dn: CN=Infrastructure,${DOMAINDN}
-objectclass: top
-objectclass: infrastructureUpdate
-cn: Infrastructure
+dn: CN=File Replication Service,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: applicationSettings
+objectClass: nTFRSSettings
systemFlags: -1946157056
isCriticalSystemObject: TRUE
-fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
-dn: CN=Builtin,${DOMAINDN}
+dn: CN=FileLinks,CN=System,${DOMAINDN}
objectClass: top
-objectClass: builtinDomain
-cn: Builtin
-forceLogoff: -9223372036854775808
-lockoutDuration: -18000000000
-lockOutObservationWindow: -18000000000
-lockoutThreshold: 0
-maxPwdAge: -37108517437440
-minPwdAge: 0
-minPwdLength: 0
-modifiedCountAtLastProm: 0
-nextRid: 1000
-pwdProperties: 0
-pwdHistoryLength: 0
-objectSid: S-1-5-32
-serverState: 1
-uASCompat: 1
-modifiedCount: 1
+objectClass: fileLinkTracking
+systemFlags: -1946157056
isCriticalSystemObject: TRUE
-showInAdvancedViewOnly: FALSE
+
+dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: fileLinkTracking
+objectClass: linkTrackObjectMoveTable
+systemFlags: -1946157056
+isCriticalSystemObject: TRUE
+
+dn: CN=VolumeTable,CN=FileLinks,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: fileLinkTracking
+objectClass: linkTrackVolumeTable
systemFlags: -1946157056
+isCriticalSystemObject: TRUE
+
+dn: CN=IP Security,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: container
+isCriticalSystemObject: TRUE
+
+dn: CN=Meetings,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: container
+isCriticalSystemObject: TRUE
dn: CN=Policies,CN=System,${DOMAINDN}
objectClass: top
objectClass: container
systemFlags: -1946157056
+isCriticalSystemObject: TRUE
-dn: CN=IP Security,CN=System,${DOMAINDN}
+dn: CN=RAS and IAS Servers Access Check,CN=System,${DOMAINDN}
objectClass: top
objectClass: container
+systemFlags: -1946157056
+isCriticalSystemObject: TRUE
-dn: CN=ComPartitionSets,CN=System,${DOMAINDN}
+dn: CN=RID Manager$,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: rIDManager
+systemFlags: -1946157056
+fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
+rIDAvailablePool: 4611686014132423217
+isCriticalSystemObject: TRUE
+
+dn: CN=RpcServices,CN=System,${DOMAINDN}
objectClass: top
objectClass: container
+objectClass: rpcContainer
systemFlags: -1946157056
+isCriticalSystemObject: TRUE
+
+dn: CN=Server,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: securityObject
+objectClass: samServer
+systemFlags: -1946157056
+revision: 65543
+isCriticalSystemObject: TRUE
+dn: CN=WinsockServices,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: container
+isCriticalSystemObject: TRUE
diff --git a/source4/setup/provision_basedn_modify.ldif
b/source4/setup/provision_basedn_modify.ldif
index 36e80ec..29ba75b 100644
--- a/source4/setup/provision_basedn_modify.ldif
+++ b/source4/setup/provision_basedn_modify.ldif
@@ -67,9 +67,6 @@ fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
replace: systemFlags
systemFlags: -1946157056
-
-replace: isCriticalSystemObject
-isCriticalSystemObject: TRUE
--
replace: subRefs
subRefs: ${CONFIGDN}
-
@@ -84,4 +81,7 @@ wellKnownObjects:
B:32:a361b2ffffd211d1aa4b00c04fd7d83a:OU=Domain Controllers,${
wellKnownObjects:
B:32:aa312825768811d1aded00c04fd8d5cd:CN=Computers,${DOMAINDN}
wellKnownObjects: B:32:a9d1ca15768811d1aded00c04fd8d5cd:CN=Users,${DOMAINDN}
-
+replace: isCriticalSystemObject
+isCriticalSystemObject: TRUE
+-
${DOMAINGUID_MOD}
diff --git a/source4/setup/provision_computers_modify.ldif
b/source4/setup/provision_computers_modify.ldif
index 110c44c..b3d9dc1 100644
--- a/source4/setup/provision_computers_modify.ldif
+++ b/source4/setup/provision_computers_modify.ldif
@@ -3,11 +3,11 @@ changetype: modify
replace: description
description: Default container for upgraded computer accounts
-
-replace: showInAdvancedViewOnly
-showInAdvancedViewOnly: FALSE
--
replace: systemFlags
systemFlags: -1946157056
-
replace: isCriticalSystemObject
isCriticalSystemObject: TRUE
+-
+replace: showInAdvancedViewOnly
+showInAdvancedViewOnly: FALSE
diff --git a/source4/setup/provision_configuration.ldif
b/source4/setup/provision_configuration.ldif
index 0dad24c..4109c22 100644
--- a/source4/setup/provision_configuration.ldif
+++ b/source4/setup/provision_configuration.ldif
@@ -8,6 +8,7 @@ cn: Partitions
systemFlags: -2147483648
msDS-Behavior-Version: ${FOREST_FUNCTIONALALITY}
fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
+showInAdvancedViewOnly: TRUE
dn: CN=Enterprise Configuration,CN=Partitions,${CONFIGDN}
objectClass: top
diff --git a/source4/setup/provision_group_policy.ldif
b/source4/setup/provision_group_policy.ldif
index d6a4659..65ab1ea 100644
--- a/source4/setup/provision_group_policy.ldif
+++ b/source4/setup/provision_group_policy.ldif
@@ -1,14 +1,3 @@
-dn: CN=Default Domain Policy,CN=System,${DOMAINDN}
-objectClass: top
-objectClass: leaf
-objectClass: domainPolicy
-isCriticalSystemObject: TRUE
-
-dn: CN=AppCategories,CN=Default Domain Policy,CN=System,${DOMAINDN}
-objectClass: top
-objectClass: classStore
-isCriticalSystemObject: TRUE
-
dn: CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN}
objectClass: top
objectClass: container
diff --git a/source4/setup/provision_self_join.ldif
b/source4/setup/provision_self_join.ldif
index b60fea6..da8c5b9 100644
--- a/source4/setup/provision_self_join.ldif
+++ b/source4/setup/provision_self_join.ldif
@@ -15,7 +15,6 @@ sAMAccountName: ${NETBIOSNAME}$
operatingSystem: Samba
operatingSystemVersion: ${SAMBA_VERSION_STRING}
dNSHostName: ${DNSNAME}
-isCriticalSystemObject: TRUE
userPassword:: ${MACHINEPASS_B64}
servicePrincipalName: HOST/${DNSNAME}
servicePrincipalName: HOST/${NETBIOSNAME}
@@ -23,6 +22,7 @@ servicePrincipalName: HOST/${DNSNAME}/${REALM}
servicePrincipalName: HOST/${NETBIOSNAME}/${REALM}
servicePrincipalName: HOST/${DNSNAME}/${DOMAIN}
servicePrincipalName: HOST/${NETBIOSNAME}/${DOMAIN}
+isCriticalSystemObject: TRUE
#Provide a account for DNS keytab export
dn: CN=dns,CN=Users,${DOMAINDN}
@@ -36,9 +36,8 @@ userAccountControl: 514
accountExpires: 9223372036854775807
sAMAccountName: dns
servicePrincipalName: DNS/${DNSDOMAIN}
-isCriticalSystemObject: TRUE
userPassword:: ${DNSPASS_B64}
-showInAdvancedViewOnly: TRUE
+isCriticalSystemObject: TRUE
dn: ${SERVERDN}
objectClass: top
diff --git a/source4/setup/provision_users.ldif
b/source4/setup/provision_users.ldif
index 88146d8..47240a9 100644
--- a/source4/setup/provision_users.ldif
+++ b/source4/setup/provision_users.ldif
@@ -7,8 +7,8 @@ objectSid: ${DOMAINSID}-500
adminCount: 1
accountExpires: 9223372036854775807
sAMAccountName: Administrator
-isCriticalSystemObject: TRUE
userPassword:: ${ADMINPASS_B64}
+isCriticalSystemObject: TRUE
dn: CN=Guest,CN=Users,${DOMAINDN}
objectClass: user
@@ -45,8 +45,8 @@ adminCount: 1
accountExpires: 9223372036854775807
sAMAccountName: krbtgt
servicePrincipalName: kadmin/changepw
-isCriticalSystemObject: TRUE
userPassword:: ${KRBTGTPASS_B64}
+isCriticalSystemObject: TRUE
dn: CN=Domain Computers,CN=Users,${DOMAINDN}
objectClass: top
@@ -187,16 +187,6 @@ sAMAccountName: Event Log Readers
groupType: -2147483644
isCriticalSystemObject: TRUE
-dn: CN=IIS_IUSRS,CN=Users,${DOMAINDN}
-objectClass: top
-objectClass: group
-cn: IIS_IUSRS
-description: IIS_IUSRS
-objectSid: ${DOMAINSID}-568
-sAMAccountName: IIS_IUSRS
-groupType: -2147483644
-isCriticalSystemObject: TRUE
-
dn: CN=Administrators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
@@ -210,7 +200,6 @@ adminCount: 1
sAMAccountName: Administrators
systemFlags: -1946157056
groupType: -2147483643
-isCriticalSystemObject: TRUE
privilege: SeSecurityPrivilege
privilege: SeBackupPrivilege
privilege: SeRestorePrivilege
@@ -235,6 +224,7 @@ privilege: SeEnableDelegationPrivilege
privilege: SeInteractiveLogonRight
privilege: SeNetworkLogonRight
privilege: SeRemoteInteractiveLogonRight
+isCriticalSystemObject: TRUE
dn: CN=Users,CN=Builtin,${DOMAINDN}
objectClass: top
@@ -271,10 +261,10 @@ adminCount: 1
sAMAccountName: Print Operators
systemFlags: -1946157056
groupType: -2147483643
-isCriticalSystemObject: TRUE
privilege: SeLoadDriverPrivilege
privilege: SeShutdownPrivilege
privilege: SeInteractiveLogonRight
+isCriticalSystemObject: TRUE
--
Samba Shared Repository
